CVE-2008-5983

Untrusted search path vulnerability in the PySys_SetArgv API function in Python 2.6 and earlier, and possibly later versions, prepends an empty string to sys.path when the argv[0] argument does not contain a path separator, which might allow local users to execute arbitrary code via a Trojan horse Python file in the current working directory.
References
Link Resource
http://www.openwall.com/lists/oss-security/2009/01/26/2 Mailing List Third Party Advisory
http://www.mail-archive.com/debian-bugs-dist@lists.debian.org/msg586010.html Patch Third Party Advisory
http://www.nabble.com/Bug-484305%3A-bicyclerepair%3A-bike.vim-imports-untrusted-python-files-from-cwd-td18848099.html Broken Link
http://www.openwall.com/lists/oss-security/2009/01/28/5 Mailing List Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=482814 Issue Tracking Third Party Advisory
http://www.openwall.com/lists/oss-security/2009/01/30/2 Mailing List Third Party Advisory
http://security.gentoo.org/glsa/glsa-200903-41.xml Third Party Advisory
http://secunia.com/advisories/34522 Not Applicable
http://security.gentoo.org/glsa/glsa-200904-06.xml Third Party Advisory
http://lists.fedoraproject.org/pipermail/package-announce/2010-June/042751.html Mailing List Third Party Advisory
http://www.vupen.com/english/advisories/2010/1448 Permissions Required
http://secunia.com/advisories/40194 Not Applicable
http://www.redhat.com/support/errata/RHSA-2011-0027.html Third Party Advisory
http://secunia.com/advisories/42888 Not Applicable
http://www.vupen.com/english/advisories/2011/0122 Permissions Required
http://www.ubuntu.com/usn/USN-1596-1 Third Party Advisory
http://www.ubuntu.com/usn/USN-1613-2 Third Party Advisory
http://www.ubuntu.com/usn/USN-1613-1 Third Party Advisory
http://secunia.com/advisories/51040 Not Applicable
http://secunia.com/advisories/50858 Not Applicable
http://www.ubuntu.com/usn/USN-1616-1 Third Party Advisory
http://secunia.com/advisories/51087 Not Applicable
http://secunia.com/advisories/51024 Not Applicable
Advertisement

NeevaHost hosting service

Configurations

Configuration 1 (hide)

OR cpe:2.3:a:python:python:*:*:*:*:*:*:*:*
cpe:2.3:a:python:python:*:*:*:*:*:*:*:*

Configuration 2 (hide)

cpe:2.3:o:fedoraproject:fedora:13:*:*:*:*:*:*:*

Configuration 3 (hide)

OR cpe:2.3:o:canonical:ubuntu_linux:11.04:*:*:*:*:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:11.10:*:*:*:*:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:8.04:*:*:*:-:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:10.04:*:*:*:-:*:*:*

Information

Published : 2009-01-27 18:30

Updated : 2022-07-05 11:57


NVD link : CVE-2008-5983

Mitre link : CVE-2008-5983


JSON object : View

CWE
CWE-426

Untrusted Search Path

Advertisement

dedicated server usa

Products Affected

canonical

  • ubuntu_linux

python

  • python

fedoraproject

  • fedora