[Patches] [ python-Patches-590294 ] os._execvpe security fix
noreply@sourceforge.net
noreply@sourceforge.net
Mon, 05 Aug 2002 09:14:05 -0700
Patches item #590294, was opened at 2002-08-02 14:21
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=305470&aid=590294&group_id=5470
Category: Modules
Group: Python 2.3
Status: Open
>Resolution: Accepted
Priority: 5
Submitted By: Zack Weinberg (zackw)
Assigned to: Guido van Rossum (gvanrossum)
Summary: os._execvpe security fix
Initial Comment:
1) Do not attempt to exec a file which does not exist
just to find out what error the operating system
returns. This is an exploitable race on all platforms
that support symbolic links.
2) Immediately re-raise the exception if we get an
error other than errno.ENOENT or errno.ENOTDIR. This
may need to be adapted for other platforms.
(As a security issue, this should be considered for 2.1
and 2.2 as well as 2.3.)
----------------------------------------------------------------------
>Comment By: Guido van Rossum (gvanrossum)
Date: 2002-08-05 12:14
Message:
Logged In: YES
user_id=6380
OK, checked in for 2.3. Keeping this open until I find the
time to backport it to 2.2 and 2.1 (or someone else does that).
----------------------------------------------------------------------
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=305470&aid=590294&group_id=5470