Package: csound Version: 1:5.08.2~dfsg-1 Severity: grave Tags: security patch Justification: user security hole Usertags: pythonpath
csound's python interface calls PySys_SetArgv with an argv[0] that doesn't resolve to a filename. This causes Python to prepend sys.path with an empty string which, due to the use of relative imports, allows the possibility to run arbitrary code on the user's system if a file in their working directory matches the name of a python module csound tries to import. This should be fixed by Python 2.6 as it uses absolute imports by default, but I have not been able to test it and this still needs a fix for packages built against/used with the currently supported versions of Python. -- James GPG Key: 1024D/61326D40 2003-09-02 James Vega <[EMAIL PROTECTED]>
--- a/frontends/CsoundAC/Shell.cpp
+++ b/frontends/CsoundAC/Shell.cpp
@@ -211,6 +211,8 @@ namespace csound
void Shell::main(int argc, char **argv)
{
PySys_SetArgv_(argc, argv);
+ /* Sanitize sys.path */
+ PyRun_SimpleString_("import sys; sys.path = filter(None, sys.path)");
}
void Shell::initialize()
--- a/frontends/CsoundVST/ScoreGeneratorVst.cpp
+++ b/frontends/CsoundVST/ScoreGeneratorVst.cpp
@@ -427,6 +427,8 @@
Shell::open();
char *argv[] = {"",""};
PySys_SetArgv(1, argv);
+ /* Sanitize sys.path */
+ PyRun_SimpleString("import sys; sys.path = filter(None, sys.path)");
PyObject *mainModule = PyImport_ImportModule("__main__");
result = runScript("import sys\n");
if(result)
signature.asc
Description: Digital signature
