[Python-Dev] CVE tracking
Gisle Aas
gisle at activestate.com
Thu Nov 20 18:37:37 CET 2008
Perl had a few CVE because of its rmtree implementation. Removing
trees is risky business if root runs the function while other users
have access to manipulate the tree. Python's shutils.rmtree seems to
have many of the same issues.
For instance http://bugs.debian.org/286922 shows how to get root to
remove /etc/passwd. The attack should work with shutils.rmtree as
well. The referenced bug is a followup to CVE-2005-0448.
This just to show that there are relevant CVEs that don't have the
keyword "python" attached to them.
--Gisle
More information about the Python-Dev
mailing list