Package: eog Version: 2.22.3-1 Severity: grave Tags: security patch Justification: user security hole Usertags: pythonpath
eog's python interface calls PySys_SetArgv with an argv[0] that doesn't resolve to a filename. This causes Python to prepend sys.path with an empty string which, due to the use of relative imports, allows the possibility to run arbitrary code on the user's system if a file in their working directory matches the name of a python module eog tries to import. This should be fixed by Python 2.6 as it uses absolute imports by default, but I have not been able to test it and this still needs a fix for packages built against/used with the currently supported versions of Python. -- James GPG Key: 1024D/61326D40 2003-09-02 James Vega <[EMAIL PROTECTED]>
--- a/src/eog-python-module.c +++ b/src/eog-python-module.c @@ -388,6 +388,9 @@ PySys_SetArgv (1, argv); + /* Sanitize sys.path */ + PyRun_SimpleString("import sys; sys.path = filter(None, sys.path)"); + if (!check_pygtk2 ()) { /* Warning message already printed in check_pygtk2 */ goto python_init_error;
signature.asc
Description: Digital signature