drucken bookmarks versenden konfigurieren admin pdf Sicherheit: Unsichere Verwendung von /tmp in python
Name: |
Unsichere Verwendung von /tmp in python
|
|
ID: |
|
|
Distribution: |
Gentoo |
|
Plattformen: |
Keine Angabe |
|
Datum: |
Fr, 4. Oktober 2002, 13:00 |
|
Referenzen: |
Keine Angabe |
|
Applikationen: |
Python |
|
Originalnachricht |
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
-------------------------------------------------------------------- GENTOO LINUX SECURITY ANNOUNCEMENT --------------------------------------------------------------------
PACKAGE :python SUMMARY :os.execvpe() vulnerability DATE :2002-10-03 14:45 UTC
--------------------------------------------------------------------
OVERVIEW
By exploiting this vulnerability a local attacker can execute arbitrary code with the privileges of the user running python code which uses the execvpe() method.
DETAIL
Zack Weinberg found a vulnerability in the way the exevpe() method from the os.py module uses a temporary file name. A file which supposedly should not exist is created in a unsafe way and the method tries to execute it. The objective of such code is to discover what error the operating system returns in a portable way.
SOLUTION
It is recommended that all Gentoo Linux users who are running dev-lang/python-2.2.1-r4 and earlier update their systems as follows:
emerge rsync emerge python emerge clean
-------------------------------------------------------------------- aliz@gentoo.org - GnuPG key is available at www.gentoo.org/~aliz -------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux)
iD8DBQE9nFfWfT7nyhUpoZMRAlRIAKChIVtWL75kMwXlt0Ifk5s5seczkgCgiaKZ t1mU5Nim159c3J9y9dyjELs= =80ty -----END PGP SIGNATURE----- _______________________________________________ gentoo-announce mailing list gentoo-announce@gentoo.org http://lists.gentoo.org/mailman/listinfo/gentoo-announce _______________________________________________ gentoo-security mailing list gentoo-security@gentoo.org http://lists.gentoo.org/mailman/listinfo/gentoo-security
|
|
|
|