[Bf-committers] Fatch for CVE-2008-4863

Martin Poirier theeth at yahoo.com
Mon Nov 3 21:25:30 CET 2008


--- On Mon, 11/3/08, Jochen Schmitt <Jochen at herr-schmitt.de> wrote:

> From: Jochen Schmitt <Jochen at herr-schmitt.de>
> Subject: [Bf-committers] Fatch for CVE-2008-4863
> To: bf-committers at blender.org
> Date: Monday, November 3, 2008, 2:24 PM
>
> Hallo,
> 
> relating to the Fedora packaging guidelines, I will forward
> a patch
> which should solves
> the reported secruity issue CVE-2008-4863 to you.
> 
> Best Regards:
> 
> Jochen schmitt
> 
> diff -up
> blender-2.48a/source/blender/python/BPY_interface.c.cve
> blender-2.48a/source/blender/python/BPY_interface.c
> - ---
> blender-2.48a/source/blender/python/BPY_interface.c.cve    
> 2008-11-03 17:31:19.000000000 +0100
> +++ blender-2.48a/source/blender/python/BPY_interface.c
> 2008-11-03
> 17:35:01.000000000 +0100
> @@ -225,6 +225,11 @@ void BPY_start_python( int argc, char
> **
>         Py_Initialize(  );
> 
>         PySys_SetArgv( argc_copy, argv_copy );
> +
> +       /* Sanitize sys.path to prevent relative imports
> loading
> modules in
> +          the current working directory */
> +       PyRun_SimpleString("import sys; sys.path =
> filter(None,
> sys.path)");
> +
>         /* Initialize thread support (also acquires lock)
> */
>         PyEval_InitThreads();
> 

Hi,

That's a side effect of PySys_SetArgv: prepend the path to the executable (as defined in argv[0]) to sys.path.

We aren't "incorrectly" using it, this is the defined behavior for Python embedding.

That patch is incorrect in any case. It would also remove "current dir" entries that might have been legitimately added to the python path by users. Moreover, PySys_SetArgv always inserts at the head of the list, the proper way to "solve" this would have been to pop(0)

If you think this is a security hole, you should take this to the Python devs as a priority, we must definitely NOT be the only ones using PySys_SetArgv.

Martin




      


More information about the Bf-committers mailing list