Debian Bug report logs - #156556
python: os.execvpe vulnerability

version graph

Package: python; Maintainer for python is Matthias Klose <doko@debian.org>; Source for python is src:python-defaults.

Reported by: Erno Kuusela <erno-debbugs@erno.iki.fi>

Date: Tue, 13 Aug 2002 15:48:06 UTC

Severity: grave

Tags: security

Found in version 2.1.3-3

Done: Matthias Klose <doko@cs.tu-berlin.de>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Gregor Hoffleit <flight@debian.org>:
Bug#156556; Package python. Full text and rfc822 format available.

Acknowledgement sent to Erno Kuusela <erno-debbugs@erno.iki.fi>:
New Bug report received and forwarded. Copy sent to Gregor Hoffleit <flight@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Erno Kuusela <erno-debbugs@erno.iki.fi>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: python: os.execvpe vulnerability
Date: Tue, 13 Aug 2002 18:44:47 +0300
Package: python
Version: 2.1.3-3
Severity: grave
Tags: security
Justification: user security hole

see thread starting at
<URL: http://mail.python.org/pipermail/python-dev/2002-August/027223.html>.

summary: os._execvpe() does

  import tempfile                                                 
  t = tempfile.mktemp()  
  # Exec a file that is guaranteed not to exist
  execv(t, ('blah',))  

and mktemp generates easily predictable file names (which the
comment fails to take into account).


-- System Information
Debian Release: 3.0
Architecture: i386
Kernel: Linux fabulous 2.4.19-rc2 #2 Sun Jul 21 23:57:23 EEST 2002 i686
Locale: LANG=C, LC_CTYPE=fi_FI

Versions of packages python depends on:
ii  python2.1                     2.1.3-3    An interactive object-oriented scr




Information forwarded to debian-bugs-dist@lists.debian.org, Gregor Hoffleit <flight@debian.org>, python2.1@packages.qa.debian.org:
Bug#156556; Package python. Full text and rfc822 format available.

Acknowledgement sent to Moshe Zadka <m@moshez.org>:
Extra info received and forwarded to list. Copy sent to Gregor Hoffleit <flight@debian.org>, python2.1@packages.qa.debian.org. Full text and rfc822 format available.

Message #10 received at 156556@bugs.debian.org (full text, mbox):

From: Moshe Zadka <m@moshez.org>
To: 156556@bugs.debian.org
Subject: Patch exists, integrated into CVS:
Date: 19 Aug 2002 19:52:18 -0000
See:
http://sourceforge.net/tracker/index.php?func=detail&aid=590294&group_id=5470&atid=305470

Commited in version 1.59 of os.py
Commited in version 1.47.4.1 of os.py (for 2.1)
Commited in version 1.50.8.3 of os.py (for 2.2)



Reply sent to Matthias Klose <doko@cs.tu-berlin.de>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Erno Kuusela <erno-debbugs@erno.iki.fi>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #15 received at 156556-done@bugs.debian.org (full text, mbox):

From: Matthias Klose <doko@cs.tu-berlin.de>
To: 156556-done@bugs.debian.org
Subject: fixed in python2.1-2.1.3-6a, python2.2-2.2.1-9 and python1.5-1.5.2-24
Date: Tue, 27 Aug 2002 08:54:03 +0200
fixed in python2.1-2.1.3-6a, python2.2-2.2.1-9 and python1.5-1.5.2-24



Information forwarded to debian-bugs-dist@lists.debian.org, Gregor Hoffleit <flight@debian.org>, python2.1@packages.qa.debian.org:
Bug#156556; Package python. Full text and rfc822 format available.

Acknowledgement sent to Erno Kuusela <erno@iki.fi>:
Extra info received and forwarded to list. Copy sent to Gregor Hoffleit <flight@debian.org>, python2.1@packages.qa.debian.org. Full text and rfc822 format available.

Message #20 received at 156556@bugs.debian.org (full text, mbox):

From: Erno Kuusela <erno@iki.fi>
To: 156556@bugs.debian.org
Subject: Re: Bug#156556 acknowledged by developer (fixed in python2.1-2.1.3-6a, python2.2-2.2.1-9 and python1.5-1.5.2-24)
Date: Tue, 27 Aug 2002 11:22:44 +0300
hello,

| fixed in python2.1-2.1.3-6a, python2.2-2.2.1-9 and python1.5-1.5.2-24

is this going to woody securityu updates?

  -- erno



Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 24 21:48:24 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.