Launchpad.net

CVE 2008-5983

Untrusted search path vulnerability in the PySys_SetArgv API function in Python 2.6 and earlier, and possibly later versions, prepends an empty string to sys.path when the argv[0] argument does not contain a path separator, which might allow local users to execute arbitrary code via a Trojan horse Python file in the current working directory.

Related bugs and status

CVE-2008-5983 (Candidate) is related to these bugs:

Bug #322196: Untrusted search path vulnerability in Python and multiple other programs

		In	Importance	Status
322196	Untrusted search path vulnerability in Python and multiple other programs	python2.5 (Ubuntu)	Low	Invalid
322196	Untrusted search path vulnerability in Python and multiple other programs	python2.4 (Ubuntu)	Low	Invalid
322196	Untrusted search path vulnerability in Python and multiple other programs	dia (Ubuntu)	Low	Fix Released
322196	Untrusted search path vulnerability in Python and multiple other programs	epiphany (Ubuntu)	Undecided	Invalid
322196	Untrusted search path vulnerability in Python and multiple other programs	csound (Ubuntu)	Low	Fix Released
322196	Untrusted search path vulnerability in Python and multiple other programs	eog (Ubuntu)	Low	Fix Released
322196	Untrusted search path vulnerability in Python and multiple other programs	gedit (Ubuntu)	Low	Fix Released
322196	Untrusted search path vulnerability in Python and multiple other programs	xchat (Ubuntu)	Low	Fix Released
322196	Untrusted search path vulnerability in Python and multiple other programs	vim (Ubuntu)	Low	Fix Released
322196	Untrusted search path vulnerability in Python and multiple other programs	nautilus-python (Ubuntu)	Low	Fix Released
322196	Untrusted search path vulnerability in Python and multiple other programs	gnumeric (Ubuntu)	Low	Fix Released
322196	Untrusted search path vulnerability in Python and multiple other programs	epiphany-browser (Ubuntu)	Low	Fix Released
322196	Untrusted search path vulnerability in Python and multiple other programs	python2.3 (Ubuntu)	Undecided	Won't Fix
322196	Untrusted search path vulnerability in Python and multiple other programs	gedit	Medium	Fix Released
322196	Untrusted search path vulnerability in Python and multiple other programs	python2.6 (Ubuntu)	Low	Fix Released
322196	Untrusted search path vulnerability in Python and multiple other programs	Python	Unknown	Fix Released

Bug #788525: updating to python2.6.7 in lucid and updating

Summary				In	Importance	Status
	788525	updating to python2.6.7 in lucid and updating		python2.6 (Ubuntu)	Undecided	Invalid

See the

CVE page on Mitre.org for more details.

References

MLIST: [debian-bugs] 20081112...
MLIST: [oss-security] 2009012...
MLIST: [debian-bugs-rc] 20080...
MLIST: [oss-security] 2009012...
MLIST: [oss-security] 2009013...
MISC: https://bugzilla.redha...
GENTOO: GLSA-200903-41
SECUNIA: 34522
GENTOO: GLSA-200904-06
FEDORA: FEDORA-2010-9652
SECUNIA: 40194
VUPEN: ADV-2010-1448
REDHAT: RHSA-2011:0027
SECUNIA: 42888
VUPEN: ADV-2011-0122
UBUNTU: USN-1596-1
UBUNTU: USN-1613-2
UBUNTU: USN-1613-1
UBUNTU: USN-1616-1
SECUNIA: 50858
SECUNIA: 51024
SECUNIA: 51040
SECUNIA: 51087