Package: python-rdflib-tools
Version: 4.2.2-1
Severity: normal
Tags: security
The CLI tools in python-rdflib-tools can from load python modules
found in the current directory. This happens because "python -m"
appends the current directory in the python path.
$ echo 'print("Something")' > cgi.py
$ rdf2dot
INFO:rdflib:RDFLib Version: 4.2.2
Something
Reading from stdin as None...
The local cgi.py file is loaded instead of the system one.
There are probably other instances of this in the Debian
archive. Constructs such as:
python -m "$some_module"
python -c "$some_code"
$some_command | python
can lead to code injection from current working directory
-- System Information:
Debian Release: buster/sid
APT prefers testing
APT policy: (500, 'testing'), (500, 'stable'), (90, 'unstable'), (1,
'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.19.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8),
LANGUAGE=fr_FR.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages python-rdflib-tools depends on:
ii python 2.7.15-4
ii python-rdflib 4.2.2-1
python-rdflib-tools recommends no packages.
python-rdflib-tools suggests no packages.
-- no debconf information
