--Gisle
_______________________________________________ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Perl had a few CVE because of its rmtree implementation. Removing
trees is risky business if root runs the function while other users
have access to manipulate the tree. Python's shutils.rmtree seems to
have many of the same issues.
For instance http://bugs.debian.org/286922 shows how to get root to
remove /etc/passwd. The attack should work with shutils.rmtree as
well. The referenced bug is a followup to CVE-2005-0448.
This just to show that there are relevant CVEs that don't have the
keyword "python" attached to them.
- [Python-Dev] CVE tracking Mart Somermaa
- Re: [Python-Dev] CVE tracking Gisle Aas
- [Python-Dev] CVE tracking Mart Somermaa
- Re: [Python-Dev] CVE tracking Terry Reedy
- [Python-Dev] CVE tracking Mart Somermaa
- Re: [Python-Dev] CVE tracking Brett Cannon
