New submission from Serhiy Storchaka: The uuid._find_mac() function tests that executable file exist before run it. First it tries to run unmodified executable name (i.e. from $PATH) and then from the /sbin or /usr/sbin directories. However test for unmodified executable name is wrong, actually it tests that executable name exists in current directory rather than in $PATH.
As a result uuid._find_mac() always fails on platforms where ifconfig located in $PATH but not in /sbin or /usr/sbin (i.e. Gentoo). If unixdll_getnode() fails too, uuid.getnode() fallbacks to use of _random_getnode(). This is security issue. test_uuid fails on such platforms too. Here is a patch for 3.3+. Other Python versions requires different solution. For example this check can be just removed. ---------- components: Library (Lib) files: uuid_find_mac_which.patch keywords: patch messages: 204932 nosy: Arfrever, serhiy.storchaka priority: normal severity: normal stage: patch review status: open title: uuid._find_mac fails if an executable not in /sbin or /usr/sbin type: security versions: Python 2.7, Python 3.2, Python 3.3, Python 3.4 Added file: http://bugs.python.org/file32931/uuid_find_mac_which.patch _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue19855> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
