CVE-2008-5983 (retired)

Priority
Description
Untrusted search path vulnerability in the PySys_SetArgv API function in
Python 2.6 and earlier, and possibly later versions, prepends an empty
string to sys.path when the argv[0] argument does not contain a path
separator, which might allow local users to execute arbitrary code via a
Trojan horse Python file in the current working directory.
Notes
 jdstrand> upstream added new C API function, PySys_SetArgvEx, which can
  be used to set sys.argv without also modifying sys.path. The default
  behavior for PySys_SetArgv does not change.
Assigned-to
jdstrand
Package
Upstream:needs-triage
Package
Upstream:needs-triage
Package
Upstream:released (2.6.5+20100529-1)
Patches:
Upstream:http://hg.python.org/cpython/rev/3f08d98c8fa5/
Package
Upstream:released (2.7-1)
Package
Upstream:released (3.1.3-1)
Patches:
Upstream:http://hg.python.org/cpython/rev/9db8c414921f/
Package
Upstream:released (3.2)
More Information

Updated: 2019-03-26 11:46:30 UTC (commit ccdecfcf0fead22bd291e5f4ea745a46872dcb15)