** Description changed: There's an interesting bug (or feature?) in Python 2.6 and earlier that affects multiple applications using Python. The bug allows local or user-assisted remote arbitrary code execution. Here is the description of the Python CVE: "Untrusted search path vulnerability in the PySys_SetArgv API function in Python before 2.6 prepends an empty string to sys.path when the argv[0] argument does not contain a path separator, which might allow local users to execute arbitrary code via a Trojan horse Python file in the current working directory." (Python 2.6 is vulnerable, too. See the comments.) Affected packages are, at least: - CVE-2008-4863 - Blender (already fixed in Ubuntu, I think) + CVE-2008-4863 - Blender (already fixed in Ubuntu, I think) CVE-2008-5983 - Python CVE-2008-5984 - Dia CVE-2008-5985 - Epiphany CVE-2008-5986 - Csound CVE-2008-5987 - eog CVE-2009-0314 - gedit CVE-2009-0315 - xchat CVE-2009-0316 - vim CVE-2009-0317 - Nautilus CVE-2009-0318 - Gnumeric I'm not sure which versions of these packages and which Ubuntu releases are actually affected, though. Source and more information: oss-security thread at http://www.openwall.com/lists/oss-security/2009/01/28/2 + http://www.openwall.com/lists/oss-security/2009/01/26/2
-- Untrusted search path vulnerability in Python and multiple other programs https://bugs.launchpad.net/bugs/322196 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
