logo
DATABASE RESOURCES PRICING ABOUT US

CVE-2008-5983

Description

Untrusted search path vulnerability in the PySys_SetArgv API function in Python 2.6 and earlier, and possibly later versions, prepends an empty string to sys.path when the argv[0] argument does not contain a path separator, which might allow local users to execute arbitrary code via a Trojan horse Python file in the current working directory. #### Bugs * <https://bugs.launchpad.net/bugs/322196> * <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=493937> * <http://bugs.python.org/issue5753> * <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=572010> #### Notes Author| Note ---|--- [jdstrand](<https://launchpad.net/~jdstrand>) | upstream added new C API function, PySys_SetArgvEx, which can be used to set sys.argv without also modifying sys.path. The default behavior for PySys_SetArgv does not change.


Affected Package


OS OS Version Package Name Package Version
ubuntu 07.10 python2.4 any
ubuntu 08.04 python2.4 2.4.5-1ubuntu4.4
ubuntu 08.10 python2.4 any
ubuntu upstream python2.4 any
ubuntu 07.10 python2.5 any
ubuntu 08.04 python2.5 2.5.2-2ubuntu6.2
ubuntu 08.10 python2.5 any
ubuntu upstream python2.5 any
ubuntu 10.04 python2.6 2.6.5-1ubuntu6.1
ubuntu upstream python2.6 2.6.5+20100529-1
ubuntu upstream python2.7 2.7-1
ubuntu 10.04 python3.1 3.1.2-0ubuntu3.2
ubuntu upstream python3.1 3.1.3-1
ubuntu upstream python3.2 3.2

Related