Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 256619 (CVE-2008-5983)

Summary: <dev-lang/python-{2.6.6-r1,2.7.1-r1,3.1.3-r1}: PySys_SetArgv() Untrusted search path vulnerability (CVE-2008-5983)
Product: Gentoo Security Reporter: Robert Buchholz (RETIRED) <rbu>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: leio, python
Priority: High Keywords: Tracker
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=493937
Whiteboard: A2 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 257000, 257002, 257004, 257006, 257007, 257011, 257012, 257020, 305663    

Description Robert Buchholz (RETIRED) gentoo-dev 2009-01-28 12:13:36 UTC 
CVE-2008-5983 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5983):
  Untrusted search path vulnerability in the PySys_SetArgv API function
  in Python before 2.6 prepends an empty string to sys.path when the
  argv[0] argument does not contain a path separator, which might allow
  local users to execute arbitrary code via a Trojan horse Python file
  in the current working directory.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2009-01-30 23:46:19 UTC 
Applications that trigger this vulnerability by calling PySys_SetArgv with a non-None argv need to make sure their sys.path is clean. An examplary patch can be found here:
http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=5;filename=sanitize_sys.path.diff;att=1;bug=504363
Comment 2 Mart Raudsepp gentoo-dev 2009-01-30 23:58:18 UTC 
Isn't it better to make python behave better here to not allow for such an easy security mistake?
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2009-01-31 01:47:42 UTC 
There is a Gnome tracker bug for all their applications:
http://bugzilla.gnome.org/show_bug.cgi?id=569273


(In reply to comment #2)
> Isn't it better to make python behave better here to not allow for such an
> easy security mistake?

Yes, this behaviour is not properly specified in the API and some applications now hit this trap. However, changing behaviour always has the risk of other applications breaking, because they implicitly rely on it.
Personally, I'd prefer fixing those applications that rely on this fluke rather than having others add special handlers themselves, but this seems best decided by Python upstream or our maintainers. I am not aware whether this discussion has been brought to them, but there are some comments already in other trackers:

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=493937
https://bugzilla.redhat.com/show_bug.cgi?id=482814
Comment 4 Sergey Popov gentoo-dev 2014-01-06 22:03:32 UTC 
Covered by GLSA 201401-04

Closing as fixed