skip at pobox.com
Wed Jan 29 16:33:00 CET 2003
Yasushi> Red Hat announced that an insecure use of a temporary file has
Yasushi> been found in Python
Yasushi> I cannot find the patch on ftp.python.org. Where can I find the
Yasushi> patch? Is there a plan to release patched version?
This is in 2.2.1 and earlier. I believe the fix was applied to os.py
version 1.59 last August:
date: 2002/08/05 16:13:24; author: gvanrossum; state: Exp; lines: +6 -21
SF patch 590294: os._execvpe security fix (Zack Weinberg).
1) Do not attempt to exec a file which does not exist
just to find out what error the operating system
returns. This is an exploitable race on all platforms
that support symbolic links.
2) Immediately re-raise the exception if we get an
error other than errno.ENOENT or errno.ENOTDIR. This
may need to be adapted for other platforms.
(As a security issue, this should be considered for 2.1
and 2.2 as well as 2.3.)
You should upgrade to 2.2.2.
More information about the Python-list