Gentoo Archives: gentoo-user-es

From:	Daniel Ahlberg <aliz@g.o>
To:	gentoo-announce@g.o
Subject:	[gentoo-user-es] [gentoo-announce] GLSA: python
Date:	Thu, 03 Oct 2002 09:45:03
Message-Id:	`20021003144439.0ED6A347B9@mail1.tamperd.net`

1	-----BEGIN PGP SIGNED MESSAGE-----
2	Hash: SHA1
3
4	- - --------------------------------------------------------------------
5	GENTOO LINUX SECURITY ANNOUNCEMENT
6	- - --------------------------------------------------------------------
7
8	PACKAGE :python
9	SUMMARY :os.execvpe() vulnerability
10	DATE :2002-10-03 14:45 UTC
11
12	- - --------------------------------------------------------------------
13
14	OVERVIEW
15
16	By exploiting this vulnerability a local attacker can execute
17	arbitrary code with the privileges of the user running python code
18	which uses the execvpe() method.
19
20	DETAIL
21
22	Zack Weinberg found a vulnerability in the way the exevpe() method
23	from the os.py module uses a temporary file name. A file which
24	supposedly should not exist is created in a unsafe way and the method
25	tries to execute it. The objective of such code is to discover what
26	error the operating system returns in a portable way.
27
28	SOLUTION
29
30	It is recommended that all Gentoo Linux users who are running
31	dev-lang/python-2.2.1-r4 and earlier update their systems
32	as follows:
33
34	emerge rsync
35	emerge python
36	emerge clean
37
38	- - --------------------------------------------------------------------
39	aliz@g.o - GnuPG key is available at www.gentoo.org/~aliz
40	- - --------------------------------------------------------------------
41	-----BEGIN PGP SIGNATURE-----
42	Version: GnuPG v1.0.7 (GNU/Linux)
43
44	iD8DBQE9nFfWfT7nyhUpoZMRAlRIAKChIVtWL75kMwXlt0Ifk5s5seczkgCgiaKZ
45	t1mU5Nim159c3J9y9dyjELs=
46	=80ty
47	-----END PGP SIGNATURE-----
48	_______________________________________________
49	gentoo-announce mailing list
50	gentoo-announce@g.o
51	http://lists.gentoo.org/mailman/listinfo/gentoo-announce

Report Message

Find on MARC Find on Google Groups