[Python-Dev] Re: RHSA-2002:202-25

Guido van Rossum guido@python.org
Wed, 29 Jan 2003 23:13:57 -0500 

> I'm taking this thread across the great divide to the python-dev mailing
> list.  The point Yasushi makes is that the security hole found and fixed by
> Zack Weinberg back in August 2002 (os.py 1.59) should be avaiable as a patch
> for versions of Python "out there" which might be affected.  The versions
> he's concerned with are 1.5.2 and 2.1.3.  I don't think we have to worry
> about 2.2.1 because those users can (and should) upgrade to 2.2.2 if the
> patch is important to them.
> 
> To see the original thread, go here:
> 
>     http://mail.python.org/pipermail/python-list/2003-January/142352.html
> 
>     Yasushi> Thank you. But I think this patch or pached version of Python
>     Yasushi> should be placed on ftp.python.org.
> 
>     Yasushi> Zope doesn't work with Python 2.2 yet. So many new Zope users
>     Yasushi> will install Python 2.1.3. But there is no patch on
>     Yasushi> ftp.python.org and no security alert on www.python.org.
> 
> Zope ships with its own version of Python, often in binary (for Windows).
> The Zope folks probably need to provide their own patch.
> 
>     Yasushi> How do they know that Python 2.1.3 has security problem?
> 
> Who are "they"?
> 
> You have to realize that the people who develop Python don't know all the
> people who bundle Python in applications.  It's open source and most of the
> people who work on Python are volunteers.
> 
> Can someone on python-dev more in-the-know about these things respond?

For Python 2.1.3, the fix is in fact in CVS.  It would not take much
to release 2.1.4.

For Python versions before that, I don't see there's much point in
doing another release; those versions are widely deployed but it is
unlikely that publishing a patch will make much of a difference (the
very fact that people are still using those versions suggests that
they don't keep their systems up-to-date).  For people using e.g. Red
Hat's distribution, Red Hat has done the right thing already.

I checked the Zope source code, and it doesn't use os.execvp or any
other os.exec*p variant.  There's one call to os.execv, which isn't
vulnerable.

Since the attack is based on a symlink, Python on Windows is not
vulnerable.

--Guido van Rossum (home page: http://www.python.org/~guido/)