Package: python2.6 Version: 2.6.4-6 Severity: important Tags: security Hi, the following CVE (Common Vulnerabilities & Exposures) id was published for python2.6.
CVE-2008-5983[0]: | Untrusted search path vulnerability in the PySys_SetArgv API function | in Python 2.6 and earlier, and possibly later versions, prepends an | empty string to sys.path when the argv[0] argument does not contain a | path separator, which might allow local users to execute arbitrary | code via a Trojan horse Python file in the current working directory. If you fix the vulnerability please also make sure to include the CVE id in your changelog entry. Note there appears to be no upstream solution at the moment. There is a proposed patch [1], but for some reason hasn't been reviewed yet by upstream after over half a year. The redhat bug [2] may also be useful. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5983 http://security-tracker.debian.org/tracker/CVE-2008-5983 [1] http://bugs.python.org/issue5753 [2] https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-5983 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
