Package: eog Version: 2.22.3-1 Severity: grave Tags: security patch Justification: user security hole Usertags: pythonpath
eog's python interface calls PySys_SetArgv with an argv[0] that doesn't resolve to a filename. This causes Python to prepend sys.path with an empty string which, due to the use of relative imports, allows the possibility to run arbitrary code on the user's system if a file in their working directory matches the name of a python module eog tries to import. This should be fixed by Python 2.6 as it uses absolute imports by default, but I have not been able to test it and this still needs a fix for packages built against/used with the currently supported versions of Python. -- James GPG Key: 1024D/61326D40 2003-09-02 James Vega <[EMAIL PROTECTED]>
--- a/src/eog-python-module.c
+++ b/src/eog-python-module.c
@@ -388,6 +388,9 @@
PySys_SetArgv (1, argv);
+ /* Sanitize sys.path */
+ PyRun_SimpleString("import sys; sys.path = filter(None, sys.path)");
+
if (!check_pygtk2 ()) {
/* Warning message already printed in check_pygtk2 */
goto python_init_error;
signature.asc
Description: Digital signature
_______________________________________________ Secure-testing-team mailing list [email protected] http://lists.alioth.debian.org/mailman/listinfo/secure-testing-team
