I'm taking this thread across the great divide to the python-dev mailing list. The point Yasushi makes is that the security hole found and fixed by Zack Weinberg back in August 2002 (os.py 1.59) should be avaiable as a patch for versions of Python "out there" which might be affected. The versions he's concerned with are 1.5.2 and 2.1.3. I don't think we have to worry about 2.2.1 because those users can (and should) upgrade to 2.2.2 if the patch is important to them. To see the original thread, go here: http://mail.python.org/pipermail/python-list/2003-January/142352.html Yasushi> Thank you. But I think this patch or pached version of Python Yasushi> should be placed on ftp.python.org. Yasushi> Zope doesn't work with Python 2.2 yet. So many new Zope users Yasushi> will install Python 2.1.3. But there is no patch on Yasushi> ftp.python.org and no security alert on www.python.org. Zope ships with its own version of Python, often in binary (for Windows). The Zope folks probably need to provide their own patch. Yasushi> How do they know that Python 2.1.3 has security problem? Who are "they"? You have to realize that the people who develop Python don't know all the people who bundle Python in applications. It's open source and most of the people who work on Python are volunteers. Can someone on python-dev more in-the-know about these things respond? Skip
I'm taking this thread across the great divide to the python-dev mailing list. The point Yasushi makes is that the security hole found and fixed by Zack Weinberg back in August 2002 (os.py 1.59) should be avaiable as a patch for versions of Python "out there" which might be affected. The versions he's concerned with are 1.5.2 and 2.1.3. I don't think we have to worry about 2.2.1 because those users can (and should) upgrade to 2.2.2 if the patch is important to them.
To see the original thread, go here:
http://mail.python.org/pipermail/python-list/2003-January/142352.html
Yasushi> Thank you. But I think this patch or pached version of Python Yasushi> should be placed on ftp.python.org.
Yasushi> Zope doesn't work with Python 2.2 yet. So many new Zope users Yasushi> will install Python 2.1.3. But there is no patch on Yasushi> ftp.python.org and no security alert on www.python.org.
Zope ships with its own version of Python, often in binary (for Windows). The Zope folks probably need to provide their own patch.
Yasushi> How do they know that Python 2.1.3 has security problem?
Who are "they"?
You have to realize that the people who develop Python don't know all the people who bundle Python in applications. It's open source and most of the people who work on Python are volunteers.
Can someone on python-dev more in-the-know about these things respond?
For Python 2.1.3, the fix is in fact in CVS. It would not take much to release 2.1.4. For Python versions before that, I don't see there's much point in doing another release; those versions are widely deployed but it is unlikely that publishing a patch will make much of a difference (the very fact that people are still using those versions suggests that they don't keep their systems up-to-date). For people using e.g. Red Hat's distribution, Red Hat has done the right thing already. I checked the Zope source code, and it doesn't use os.execvp or any other os.exec*p variant. There's one call to os.execv, which isn't vulnerable. Since the attack is based on a symlink, Python on Windows is not vulnerable. --Guido van Rossum (home page: http://www.python.org/~guido/)
participants (2)
-
Guido van Rossum
-
Skip Montanaro