reassign 504359 python-csoundac tags 504359 pending El 02/11/08 22:50 James Vega escribió: > Package: csound > Version: 1:5.08.2~dfsg-1 > Severity: grave > Tags: security patch > Justification: user security hole > Usertags: pythonpath > > csound's python interface calls PySys_SetArgv with an argv[0] that > doesn't resolve to a filename. This causes Python to prepend sys.path > with an empty string which, due to the use of relative imports, allows > the possibility to run arbitrary code on the user's system if a file in > their working directory matches the name of a python module csound tries > to import. > > This should be fixed by Python 2.6 as it uses absolute imports by > default, but I have not been able to test it and this still needs a fix > for packages built against/used with the currently supported versions of > Python.
Thanks for the patch. I have already added it to my working tree, will upload a new version soonish. Saludos, Felipe Sateler
signature.asc
Description: This is a digitally signed message part.
