[Python-Dev] CVE tracking

Gisle Aas gisle at activestate.com
Thu Nov 20 18:37:37 CET 2008

Perl had a few CVE because of its rmtree implementation.  Removing  
trees is risky business if root runs the function while other users  
have access to manipulate the tree.  Python's shutils.rmtree seems to  
have many of the same issues.
For instance http://bugs.debian.org/286922 shows how to get root to  
remove /etc/passwd.  The attack should work with shutils.rmtree as  
well.  The referenced bug is a followup to CVE-2005-0448.
This just to show that there are relevant CVEs that don't have the  
keyword "python" attached to them.

More information about the Python-Dev mailing list