[Secure-testing-team] Bug#504359: csound: Python scripts load modules from current directory

[James Vega]

Package: csound
Version: 1:5.08.2~dfsg-1
Severity: grave
Tags: security patch
Justification: user security hole
Usertags: pythonpath

csound's python interface calls PySys_SetArgv with an argv[0] that
doesn't resolve to a filename.  This causes Python to prepend sys.path
with an empty string which, due to the use of relative imports, allows
the possibility to run arbitrary code on the user's system if a file in
their working directory matches the name of a python module csound tries
to import.

This should be fixed by Python 2.6 as it uses absolute imports by
default, but I have not been able to test it and this still needs a fix
for packages built against/used with the currently supported versions of
Python.

-- 
James
GPG Key: 1024D/61326D40 2003-09-02 James Vega <jamessan at debian.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 1004-sanitize-sys.path.diff
Type: text/x-diff
Size: 728 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20081102/091f08bc/attachment.diff 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20081102/091f08bc/attachment.pgp