*** This bug is a security vulnerability *** Public security bug reported:
Binary package hint: python2.5 There's an interesting bug (or feature?) in Python 2.5 and earlier that affects multiple applications using Python. The bug allows local or user-assisted remote arbitrary code execution. Here is the description of the Python CVE: "Untrusted search path vulnerability in the PySys_SetArgv API function in Python before 2.6 prepends an empty string to sys.path when the argv[0] argument does not contain a path separator, which might allow local users to execute arbitrary code via a Trojan horse Python file in the current working directory." Affected packages are, at least: CVE-2008-4863 - Blender (already fixed in Ubuntu, I think) CVE-2008-5983 - Python CVE-2008-5984 - Dia CVE-2008-5985 - Epiphany CVE-2008-5986 - Csound CVE-2008-5987 - eog CVE-2009-0314 - gedit CVE-2009-0315 - xchat CVE-2009-0316 - vim CVE-2009-0317 - Nautilus CVE-2009-0318 - Gnumeric I'm not sure which versions of these packages and which Ubuntu releases are actually affected, though. Source and more information: oss-security thread at http://www.openwall.com/lists/oss-security/2009/01/28/2 ** Affects: csound (Ubuntu) Importance: Undecided Status: New ** Affects: dia (Ubuntu) Importance: Undecided Status: New ** Affects: eog (Ubuntu) Importance: Undecided Status: New ** Affects: epiphany (Ubuntu) Importance: Undecided Status: New ** Affects: gedit (Ubuntu) Importance: Undecided Status: New ** Affects: gnumeric (Ubuntu) Importance: Undecided Status: New ** Affects: nautilus (Ubuntu) Importance: Undecided Status: New ** Affects: python2.4 (Ubuntu) Importance: Undecided Status: New ** Affects: python2.5 (Ubuntu) Importance: Undecided Status: New ** Affects: vim (Ubuntu) Importance: Undecided Status: New ** Affects: xchat (Ubuntu) Importance: Undecided Status: New ** Visibility changed to: Public ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2008-5983 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2008-5984 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2008-5985 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2008-5986 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2008-5987 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2009-0314 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2009-0315 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2009-0316 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2009-0317 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2009-0318 -- Untrusted search path vulnerability in Python and multiple other programs https://bugs.launchpad.net/bugs/322196 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
