Package: ephiphany-browser Version: 2.22.3-6 Severity: grave Tags: security patch upstream Justification: user security hole Usertags: pythonpath
Epiphany's python interface calls PySys_SetArgv with an argv[0] that doesn't resolve to a filename. This causes Python to prepend sys.path with an empty string which, due to the use of relative imports, allows the possibility to run arbitrary code on the user's system if a file in their working directory matches the name of a python module epiphany tries to import. This should be fixed by Python 2.6 as it uses absolute imports by default, but I have not been able to test it and this still needs a fix for packages built against/used with the currently supported versions of Python. -- James GPG Key: 1024D/61326D40 2003-09-02 James Vega <[EMAIL PROTECTED]>
--- epiphany-browser-2.22.3.orig/src/ephy-python.c
+++ epiphany-browser-2.22.3/src/ephy-python.c
@@ -51,6 +51,8 @@
argv[0] = g_get_prgname ();
PySys_SetArgv (1, argv);
+ /* Sanitize sys.path */
+ PyRun_SimpleString("import sys; sys.path = filter(None, sys.path)");
init_pygobject ();
init_pygtk ();
signature.asc
Description: Digital signature
