[Secure-testing-team] Bug#504352: eog: Python scripts load modules from current directory

[James Vega]

Package: eog
Version: 2.22.3-1
Severity: grave
Tags: security patch
Justification: user security hole
Usertags: pythonpath

eog's python interface calls PySys_SetArgv with an argv[0] that doesn't
resolve to a filename.  This causes Python to prepend sys.path with an
empty string which, due to the use of relative imports, allows the
possibility to run arbitrary code on the user's system if a file in
their working directory matches the name of a python module eog tries to
import.

This should be fixed by Python 2.6 as it uses absolute imports by
default, but I have not been able to test it and this still needs a fix
for packages built against/used with the currently supported versions of
Python.

-- 
James
GPG Key: 1024D/61326D40 2003-09-02 James Vega <jamessan at debian.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 02_sanitize_sys.path.patch
Type: text/x-diff
Size: 320 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20081102/4d24228e/attachment.patch 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20081102/4d24228e/attachment.pgp