Package: python-rdflib-tools Version: 4.2.2-1 Severity: normal Tags: security
The CLI tools in python-rdflib-tools can from load python modules found in the current directory. This happens because "python -m" appends the current directory in the python path. $ echo 'print("Something")' > cgi.py $ rdf2dot INFO:rdflib:RDFLib Version: 4.2.2 Something Reading from stdin as None... The local cgi.py file is loaded instead of the system one. There are probably other instances of this in the Debian archive. Constructs such as: python -m "$some_module" python -c "$some_code" $some_command | python can lead to code injection from current working directory -- System Information: Debian Release: buster/sid APT prefers testing APT policy: (500, 'testing'), (500, 'stable'), (90, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.19.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8), LANGUAGE=fr_FR.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages python-rdflib-tools depends on: ii python 2.7.15-4 ii python-rdflib 4.2.2-1 python-rdflib-tools recommends no packages. python-rdflib-tools suggests no packages. -- no debconf information