Package: pam-python Version: 1.1.0 Severity: grave The patch for Python 3.12 has been done incorrectly, so CVE-2019-16729 is actual again in this new version.
https://github.com/sunweaver/pam-python/pull/2/files#r1690115475 contains explanation. Correct adaptation to Python 3.12 may look like: ``` PyConfig config; PyConfig_InitIsolatedConfig(&config); // note "Isolated" (!)!!!!!! config.isolated = 1; config.write_bytecode = 0; config.use_environment = 0; /* Required to mitigate CVE-2019-16729 */ <---- "= 1" in Debian. it's the bug config.user_site_directory = 0; /* Required to mitigate CVE-2019-16729 */ <---- "= 1" in Debian. it's the bug config.site_import = 1; config.install_signal_handlers = 0; // XXX PyStatus status = Py_InitializeFromConfig(&config); if (PyStatus_Exception(status)) { PyConfig_Clear(&config); if (!PyStatus_IsExit(status)) { Py_ExitStatusException(status); } abort(); // I don't know what to do here. } PyConfig_Clear(&config); ``` I did not test thoroughly the code above (yes, it compiles, but I did not run), lines above XXX I think 100% correct, but anyway, please recheck.
