LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

gnumeric: untrusted python modules search path

Package(s):gnumeric CVE #(s):CVE-2009-5983 CVE-2009-0318
Created:February 5, 2009 Updated:April 3, 2009
Description: gnumeric has an arbitrary code execution vulnerability. From the CVE entry: Untrusted search path vulnerability in the GObject wrapper around Python interpreter allows local users to execute arbitrary code via a Trojan horse Python file in the current working directory, related to an erroneous setting of sys.path by the PySys_SetArgv function.
Alerts:
Gentoo 200904-03 2009-04-03
Mandriva MDVSA-2009:043 2008-02-19
Fedora FEDORA-2009-1289 2009-02-05
Fedora FEDORA-2009-1295 2009-02-05
(Log in to post comments)

gnumeric: untrusted python modules search path

Posted Feb 5, 2009 19:19 UTC (Thu) by welinder (guest, #4699) [Link]

This is not a Gnumeric problem, although it can be worked around in
Gnumeric (and all the other programs that embed Python).

The proper fix is to teach Python not to add random directories to
its load path.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds