[Python-Dev] Re: RHSA-2002:202-25
Guido van Rossum
guido@python.org
Wed, 29 Jan 2003 23:13:57 -0500
> I'm taking this thread across the great divide to the python-dev mailing
> list. The point Yasushi makes is that the security hole found and fixed by
> Zack Weinberg back in August 2002 (os.py 1.59) should be avaiable as a patch
> for versions of Python "out there" which might be affected. The versions
> he's concerned with are 1.5.2 and 2.1.3. I don't think we have to worry
> about 2.2.1 because those users can (and should) upgrade to 2.2.2 if the
> patch is important to them.
>
> To see the original thread, go here:
>
> http://mail.python.org/pipermail/python-list/2003-January/142352.html
>
> Yasushi> Thank you. But I think this patch or pached version of Python
> Yasushi> should be placed on ftp.python.org.
>
> Yasushi> Zope doesn't work with Python 2.2 yet. So many new Zope users
> Yasushi> will install Python 2.1.3. But there is no patch on
> Yasushi> ftp.python.org and no security alert on www.python.org.
>
> Zope ships with its own version of Python, often in binary (for Windows).
> The Zope folks probably need to provide their own patch.
>
> Yasushi> How do they know that Python 2.1.3 has security problem?
>
> Who are "they"?
>
> You have to realize that the people who develop Python don't know all the
> people who bundle Python in applications. It's open source and most of the
> people who work on Python are volunteers.
>
> Can someone on python-dev more in-the-know about these things respond?
For Python 2.1.3, the fix is in fact in CVS. It would not take much
to release 2.1.4.
For Python versions before that, I don't see there's much point in
doing another release; those versions are widely deployed but it is
unlikely that publishing a patch will make much of a difference (the
very fact that people are still using those versions suggests that
they don't keep their systems up-to-date). For people using e.g. Red
Hat's distribution, Red Hat has done the right thing already.
I checked the Zope source code, and it doesn't use os.execvp or any
other os.exec*p variant. There's one call to os.execv, which isn't
vulnerable.
Since the attack is based on a symlink, Python on Windows is not
vulnerable.
--Guido van Rossum (home page: http://www.python.org/~guido/)