Control: retitle -1 python-rdflib-tools: CVE-2019-7653: Code injection from
current working directory
Hi Gabriel!
On Fri, Feb 08, 2019 at 09:49:07PM +0100, Gabriel Corona wrote:
> Package: python-rdflib-tools
> Version: 4.2.2-1
> Severity: normal
> Tags: security
>
> The CLI tools in python-rdflib-tools can from load python modules
> found in the current directory. This happens because "python -m"
> appends the current directory in the python path.
>
> $ echo 'print("Something")' > cgi.py
> $ rdf2dot
> INFO:rdflib:RDFLib Version: 4.2.2
> Something
> Reading from stdin as None...
>
> The local cgi.py file is loaded instead of the system one.
>
> There are probably other instances of this in the Debian
> archive. Constructs such as:
>
> python -m "$some_module"
> python -c "$some_code"
> $some_command | python
>
> can lead to code injection from current working directory
MITRE has assigned CVE-2019-7653 for this issue.
For those following the bug, this likely does not affect the upstream
project itself and is Debian specifc, as the Debian packaging AFAICS
replaces the respective scripts/tools by wrappers invoking python -m
as described by Gabriel (please correct me if I'm wrong).
Regards,
Salvatore
