[New-bugs-announce] [issue16248] Security bug in tkinter allows for untrusted code execution.
Ramchandra Apte
report at bugs.python.org
Tue Oct 16 17:29:21 CEST 2012
New submission from Ramchandra Apte:
Because tkinter.py uses exec to execute code from a file, it has a security bug. It searches for the file in the home dir. Apparently, on my system (don't know if its the same on others), the $HOME variable is the same as the non-root one when running Python with root priveleges
Steps to reproduce:
create a file called .Tk.py in your home folder
Whatever code is in that file will be executed.
run these three lines of code in Python:
import tkinter
w = tkinter.Tk()
w.mainloop()
I will add more details in later comments.
----------
components: Tkinter
messages: 173047
nosy: ramchandra.apte
priority: normal
severity: normal
status: open
title: Security bug in tkinter allows for untrusted code execution.
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue16248>
_______________________________________
More information about the New-bugs-announce
mailing list