Re: CVE request -- Python < 2.6 PySys_SetArgv issues (epiphany, csound, dia, eog, gedit, xchat, vim, nautilus-python, Gnumeric)

[Robert Buchholz <rbu () gentoo org>]

On Monday 26 January 2009, Jan Lieskovsky wrote:
> Though this is a Python flaw (insertion of cwd at the
> beginning of the Python modules search path), according to our Python
> maintainers it can't be fixed on Python's side due the need
> of ensuring the work of other numerous packages, when loading
> Python modules.

Your subject seems to claim that this vulnerability is fixed on the 
Python side in 2.6 -- can you elaborate on that?

James Vega in the bug report you referenced [1] wrote:
> This problem should be solved in 2.6 since absolute imports are the
> default.

However, the specification of absolute imports [2] states:
> import foo
>
> refers to a top-level module or to another module inside the package.
> [...] To resolve the ambiguity, it is proposed that foo will always be
> a module or package reachable from sys.path. This is called an
> absolute import.   

So absolute imports do not fix situations where you (e.g.) "import re" 
with CWD=/tmp in sys.path. Also, the test case shows that at least 
Python 2.6.1's PySys_SetArgv behaves the same:
$ ./484305 ""
['']
['', '/usr/lib64/python26.zip', '/usr/lib64/python2.6', '/usr/lib64/python2.6/plat-linux2', 
'/usr/lib64/python2.6/lib-tk', '/usr/lib64/python2.6/lib-old', '/usr/lib64/python2.6/lib-dynload', 
'/usr/lib64/python2.6/site-packages', '/usr/lib64/portage/pym']

Regards,
Robert

[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=484305
[2] 
http://www.python.org/dev/peps/pep-0328/#rationale-for-absolute-imports

Attachment: signature.asc
Description: This is a digitally signed message part.