[Python-Dev] Critical bash vulnerability CVE-2014-6271 may affect Python on *n*x and OSX
Antoine Pitrou
solipsis at pitrou.net
Fri Sep 26 00:17:46 CEST 2014
On Thu, 25 Sep 2014 13:00:16 -0700
Bob Hanson <d2mp1a9 at newsguy.com> wrote:
> Critical bash vulnerability CVE-2014-6271 may affect Python on
> *n*x and OSX:
>
> <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271>
>
> <http://arstechnica.com/security/2014/09/bug-in-bash-shell-creates-big-security-hole-on-anything-with-nix-in-it/>
>
> <http://lcamtuf.blogspot.com/2014/09/quick-notes-about-bash-bug-its-impact.html>
>
> <http://www.openwall.com/lists/oss-security/2014/09/24/17>
>
> Also see <news:gmane.comp.security.fulldisclosure> for thread on
> same being started today.
Fortunately, Python's subprocess has its `shell` argument default to
False. However, `os.system` invokes the shell implicitly and is
therefore a possible attack vector.
Regards
Antoine.
More information about the Python-Dev
mailing list