Debian 3.0: DSA 159-2 Critical: Python Insecure Temporary Files Fix
debian
September 9, 2002
The bugfix we distributed in DSA 159-1 unfortunately caused Python tosometimes behave improperly when a non-executable file existed earlierin the path and an executable file of the...
Topics Covered
Summary
[The mail just sent was formatted like an attachment due to a
misconception on my side. This mail is only the clearsign version. ]
The bugfix we distributed in DSA 159-1 unfortunately caused Python to
sometimes behave improperly when a non-executable file existed earlier
in the path and an executable file of the same name existed later in
the path. Zack Weinberg fixed this in the Python source. For
reference, here's the original advisory text:
Zack Weinberg discovered an insecure use of a temporary file in
os._execvpe from os.py. It uses a predictable name which could
lead execution of arbitrary code.
This problem has been fixed in several versions of Python: For the
current stable distribution (woody) it has been fixed in version
1.5.2-23.2 of Python 1.5, in version 2.1.3-3.2 of Python 2.1 and in
version 2.2.1-4.2 of Python 2.2. For the old stable distribution
(potato) this has been fixed in version 1.5.2-10potato13 for Python
1.5. For the unstable distribution (sid) this has been ...
PREVIOUS
NEXT
Severity
critical
Lowest
Low
Medium
High
Critical
Package: python
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Related News
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!