New submission from Serhiy Storchaka:

The uuid._find_mac() function tests that executable file exist before run it. 
First it tries to run unmodified executable name (i.e. from $PATH) and then 
from the /sbin or /usr/sbin directories. However test for unmodified executable 
name is wrong, actually it tests that executable name exists in current 
directory rather than in $PATH.

As a result uuid._find_mac() always fails on platforms where ifconfig located 
in $PATH but not in /sbin or /usr/sbin (i.e. Gentoo). If unixdll_getnode() 
fails too, uuid.getnode() fallbacks to use of _random_getnode(). This is 
security issue.

test_uuid fails on such platforms too.

Here is a patch for 3.3+. Other Python versions requires different solution. 
For example this check can be just removed.

----------
components: Library (Lib)
files: uuid_find_mac_which.patch
keywords: patch
messages: 204932
nosy: Arfrever, serhiy.storchaka
priority: normal
severity: normal
stage: patch review
status: open
title: uuid._find_mac fails if an executable not in /sbin or /usr/sbin
type: security
versions: Python 2.7, Python 3.2, Python 3.3, Python 3.4
Added file: http://bugs.python.org/file32931/uuid_find_mac_which.patch

_______________________________________
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/issue19855>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

Reply via email to