CVE-2008-5983 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5983): Untrusted search path vulnerability in the PySys_SetArgv API function in Python before 2.6 prepends an empty string to sys.path when the argv[0] argument does not contain a path separator, which might allow local users to execute arbitrary code via a Trojan horse Python file in the current working directory.
Applications that trigger this vulnerability by calling PySys_SetArgv with a non-None argv need to make sure their sys.path is clean. An examplary patch can be found here: http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=5;filename=sanitize_sys.path.diff;att=1;bug=504363
Isn't it better to make python behave better here to not allow for such an easy security mistake?
There is a Gnome tracker bug for all their applications: http://bugzilla.gnome.org/show_bug.cgi?id=569273 (In reply to comment #2) > Isn't it better to make python behave better here to not allow for such an > easy security mistake? Yes, this behaviour is not properly specified in the API and some applications now hit this trap. However, changing behaviour always has the risk of other applications breaking, because they implicitly rely on it. Personally, I'd prefer fixing those applications that rely on this fluke rather than having others add special handlers themselves, but this seems best decided by Python upstream or our maintainers. I am not aware whether this discussion has been brought to them, but there are some comments already in other trackers: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=493937 https://bugzilla.redhat.com/show_bug.cgi?id=482814
Covered by GLSA 201401-04 Closing as fixed
