CVE-2008-5983
This CVE name corresponds to:
The following information is adapted from the
Common Vulnerabilities and
Exposures (CVE) project. CVE and the CVE logo are trademarks
of The MITRE Corporation. CVE content is Copyright 2005, The
MITRE Corporation.
Details
Description
Untrusted search path vulnerability in the PySys_SetArgv API function in Python 2.6 and earlier, and possibly later versions, prepends an empty string to sys.path when the argv[0] argument does not contain a path separator, which might allow local users to execute arbitrary code via a Trojan horse Python file in the current working directory.
References
| Source |
Reference |
| MLIST |
[debian-bugs] 20081112 Bug#493937: [Patch] Prevent loading of Python modules in working directory |
| MLIST |
[debian-bugs-rc] 20080805 Bug#484305: bicyclerepair: bike.vim imports untrusted python files from cwd |
| MLIST |
[oss-security] 20090126 CVE request -- Python < 2.6 PySys_SetArgv issues (epiphany, csound, dia, eog, gedit, xchat, vim, nautilus-python, Gnumeric) |
| MLIST |
[oss-security] 20090128 Re: CVE request -- Python < 2.6 PySys_SetArgv issues (epiphany, csound, dia, eog, gedit, xchat, vim, nautilus-python, Gnumeric) |
| MLIST |
[oss-security] 20090130 Re: CVE request -- Python < 2.6 PySys_SetArgv issues (epiphany, csound, dia, eog, gedit, xchat, vim, nautilus-python, Gnumeric) |
| MISC |
https://bugzilla.redhat.com/show_bug.cgi?id=482814 |
| FEDORA |
FEDORA-2010-9652 |
| GENTOO |
GLSA-200903-41 |
| GENTOO |
GLSA-200904-06 |
| REDHAT |
RHSA-2011:0027 |
| UBUNTU |
USN-1596-1 |
| UBUNTU |
USN-1613-2 |
| UBUNTU |
USN-1613-1 |
| UBUNTU |
USN-1616-1 |
| SECUNIA |
34522 |
| SECUNIA |
40194 |
| SECUNIA |
42888 |
| SECUNIA |
50858 |
| SECUNIA |
51024 |
| SECUNIA |
51040 |
| SECUNIA |
51087 |
| VUPEN |
ADV-2010-1448 |
| VUPEN |
ADV-2011-0122 |
Copyright © 2005 The MITRE Corporation.
Copyright © 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright
information.