RHSA-2002:202-25

Skip Montanaro skip at pobox.com
Wed Jan 29 16:33:00 CET 2003


    Yasushi> Red Hat announced that an insecure use of a temporary file has
    Yasushi> been found in Python

    Yasushi> http://rhn.redhat.com/errata/RHSA-2002-202.html

    Yasushi> I cannot find the patch on ftp.python.org. Where can I find the
    Yasushi> patch?  Is there a plan to release patched version?

This is in 2.2.1 and earlier.  I believe the fix was applied to os.py
version 1.59 last August:

    revision 1.59
    date: 2002/08/05 16:13:24;  author: gvanrossum;  state: Exp;  lines: +6 -21
    SF patch 590294: os._execvpe security fix (Zack Weinberg).

    1) Do not attempt to exec a file which does not exist
    just to find out what error the operating system
    returns. This is an exploitable race on all platforms
    that support symbolic links.

    2) Immediately re-raise the exception if we get an
    error other than errno.ENOENT or errno.ENOTDIR. This
    may need to be adapted for other platforms.

    (As a security issue, this should be considered for 2.1
    and 2.2 as well as 2.3.)

You should upgrade to 2.2.2.

Skip





More information about the Python-list mailing list