[New-bugs-announce] [issue19855] uuid._find_mac fails if an executable not in /sbin or /usr/sbin
Serhiy Storchaka
report at bugs.python.org
Sun Dec 1 16:12:48 CET 2013
New submission from Serhiy Storchaka:
The uuid._find_mac() function tests that executable file exist before run it. First it tries to run unmodified executable name (i.e. from $PATH) and then from the /sbin or /usr/sbin directories. However test for unmodified executable name is wrong, actually it tests that executable name exists in current directory rather than in $PATH.
As a result uuid._find_mac() always fails on platforms where ifconfig located in $PATH but not in /sbin or /usr/sbin (i.e. Gentoo). If unixdll_getnode() fails too, uuid.getnode() fallbacks to use of _random_getnode(). This is security issue.
test_uuid fails on such platforms too.
Here is a patch for 3.3+. Other Python versions requires different solution. For example this check can be just removed.
----------
components: Library (Lib)
files: uuid_find_mac_which.patch
keywords: patch
messages: 204932
nosy: Arfrever, serhiy.storchaka
priority: normal
severity: normal
stage: patch review
status: open
title: uuid._find_mac fails if an executable not in /sbin or /usr/sbin
type: security
versions: Python 2.7, Python 3.2, Python 3.3, Python 3.4
Added file: http://bugs.python.org/file32931/uuid_find_mac_which.patch
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue19855>
_______________________________________
More information about the New-bugs-announce
mailing list