[issue6402] Crash after attempt to set the error indicator via PyErr_SetString()

New submission from Jan Lieskovsky ian...@seznam.cz: Hello guys, i am experiencing segmentation fault, when trying to set the error indicator via the PyErr_SetString() method called from C source. This occurs for all Python exceptions, as documented in: http://docs.python.org/c-api

[issue6402] Crash after attempt to set the error indicator via PyErr_SetString()

Changes by Jan Lieskovsky ian...@seznam.cz: Added file: http://bugs.python.org/file14429/core.31283.bz2 ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue6402

[issue6402] Crash after attempt to set the error indicator via PyErr_SetString()

Changes by Jan Lieskovsky ian...@seznam.cz: -- nosy: +benjamin.peterson, gregory.p.smith, pitrou, psss ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue6402

[issue5753] CVE-2008-5983 python: untrusted python modules search path

Jan Lieskovsky ian...@seznam.cz added the comment: Hello guys, what's the current state of this issue? The proposed patch hasn't still been projected into upstream Python code, so wondering: 1, when and if it will be? 2, if you have found another solution / patch? Thanks Regards, Jan

[issue5753] CVE-2008-5983 python: untrusted python modules search path

Jan Lieskovsky ian...@seznam.cz added the comment: Link to older Python tracker issue discussing the same problem and closed with won't fix: http://bugs.python.org/issue946373 Strange enough, but implied from reading above issue, just an idea (don't shoot :)). Wouldn't it be possible

[issue14001] Python v2.7.2 / v3.2.2 (SimpleXMLRPCServer): DoS (excessive CPU usage) by processing malformed XMLRPC / HTTP POST request

New submission from Jan Lieskovsky ian...@seznam.cz: A denial of service flaw was found in the way Simple XML-RPC Server module of Python processed client connections, that were closed prior the complete request body has been received. A remote attacker could use this flaw to cause Python

[issue14001] Python v2.7.2 / v3.2.2 (SimpleXMLRPCServer): DoS (excessive CPU usage) by processing malformed XMLRPC / HTTP POST request

Jan Lieskovsky ian...@seznam.cz added the comment: CVE request: [2] http://www.openwall.com/lists/oss-security/2012/02/13/3 -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue14001

[issue14001] CVE-2012-0845 Python v2.7.2 / v3.2.2 (SimpleXMLRPCServer): DoS (excessive CPU usage) by processing malformed XMLRPC / HTTP POST request

Jan Lieskovsky ian...@seznam.cz added the comment: The CVE identifier of CVE-2012-0845 has been assigned to this issue: [3] http://www.openwall.com/lists/oss-security/2012/02/13/4 -- title: Python v2.7.2 / v3.2.2 (SimpleXMLRPCServer): DoS (excessive CPU usage) by processing malformed

[issue17980] CVE-2013-2099 ssl.match_hostname() trips over crafted wildcard names

Jan Lieskovsky added the comment: The CVE identifier of CVE-2013-2099 has been assigned: http://www.openwall.com/lists/oss-security/2013/05/16/6 to this issue. -- nosy: +iankko title: ssl.match_hostname() trips over crafted wildcard names - CVE-2013-2099 ssl.match_hostname() trips

[issue16202] sys.path[0] security issues

Jan Lieskovsky added the comment: Jeroen, just out of curiosity. Is the current issue different from CVE-2008-5983 (at first quick glance it looks the be the same issue):? [1] http://bugs.python.org/issue5753 Thank you, Jan. -- Jan iankko Lieskovsky -- nosy: +iankko

[issue5753] CVE-2008-5983 python: untrusted python modules search path

New submission from Jan Lieskovsky ian...@seznam.cz: Common Vulnerabilities and Exposures assigned an identifier CVE-2008-5983 (and related CVE ids) to the following vulnerability: Untrusted search path vulnerability in the PySys_SetArgv API function in Python 2.6 and earlier, and possibly

[issue5753] CVE-2008-5983 python: untrusted python modules search path

Jan Lieskovsky ian...@seznam.cz added the comment: To sum up the behavior, the following table displays whether modules are read from the current working directory for various ways how the python scripts can be launched (unfixed/fixed version): unfixed fixed run

[issue5753] CVE-2008-5983 python: untrusted python modules search path

Jan Lieskovsky ian...@seznam.cz added the comment: As no longer work of python ./foo.py after patch utilization may cause, the update won't be acceptable, could you guys review the above patch and potentially provide an another one? -- ___ Python

[issue5753] CVE-2008-5983 python: untrusted python modules search path

Jan Lieskovsky ian...@seznam.cz added the comment: Just drop into /tmp and run (you will need the zenity package installed): python3.1 ./test.py or gedit# unfixed gedit in that directory. -- Added file: http://bugs.python.org/file13686/py_umspath_test.tar.gz

[issue2587] PyString_FromStringAndSize() to be considered unsafe

Jan Lieskovsky ian...@seznam.cz added the comment: Hello guys, if I didn't overlook something pretty obvious, this should work with python-2.6, but it crashes. Could you please have a look? Thanks, Jan. -- Jan iankko Lieskovsky -- nosy: +iankko Added file: http://bugs.python.org

[issue5753] CVE-2008-5983 python: untrusted python modules search path

Jan Lieskovsky ian...@seznam.cz added the comment: Antoine, (re: #msg87083, #msg87084) -- while the API change is acceptable and reasonable, it doesn't solve the core of the problem. I understand the change needs to be 'backward compatible' and shouldn't break the existing Python behavior