CVE-2008-5983

Priority
Description
Untrusted search path vulnerability in the PySys_SetArgv API function in
Python 2.6 and earlier, and possibly later versions, prepends an empty
string to sys.path when the argv[0] argument does not contain a path
separator, which might allow local users to execute arbitrary code via a
Trojan horse Python file in the current working directory.
Assigned-to
jdstrand
Notes
jdstrandupstream added new C API function, PySys_SetArgvEx, which can
be used to set sys.argv without also modifying sys.path. The default
behavior for PySys_SetArgv does not change.
Package
Upstream:needs-triage
Package
Upstream:needs-triage
Package
Upstream:released (2.6.5+20100529-1)
Patches:
Upstream:http://hg.python.org/cpython/rev/3f08d98c8fa5/
Package
Upstream:released (2.7-1)
Package
Upstream:released (3.1.3-1)
Patches:
Upstream:http://hg.python.org/cpython/rev/9db8c414921f/
Package
Upstream:released (3.2)
More Information

Updated: 2019-12-05 20:52:32 UTC (commit 0aa5e7c87c8b55d2ec5c7f4ca1179cf75de91961)