Home page logo
/

bugtraq logo Bugtraq mailing list archives

[CLA-2002:527] Conectiva Linux Security Announcement - python
From: secure () conectiva com br
Date: Tue, 1 Oct 2002 11:52:33 -0300

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
CONECTIVA LINUX SECURITY ANNOUNCEMENT 
- --------------------------------------------------------------------------

PACKAGE   : python
SUMMARY   : os.execvpe() vulnerability
DATE      : 2002-10-01 11:48:00
ID        : CLA-2002:527
RELEVANT
RELEASES  : 6.0, 7.0, 8

- -------------------------------------------------------------------------

DESCRIPTION
 Python is an interpreted, interactive, object-oriented programming
 language.
 
 Zack Weinberg found[1] a vulnerability in the way the exevpe() method
 from the os.py module uses a temporary file name. A file which
 supposedly should not exist is created in a unsafe way and the method
 tries to execute it. The objective of such code is to discover what
 error the operating system returns in a portable way.
 
 This vulnerability affects all python versions and is fixed[2,3] in
 the python CVS repository (using a better approach).
 
 By exploiting this vulnerability a local attacker can execute
 arbitrary code with the privileges of the user running python code
 which uses the execvpe() method.


SOLUTION
 All python users should upgrade.
 
 
 REFERENCES:
 1.http://mail.python.org/pipermail/python-dev/2002-August/027223.html
 2.http://python.org/sf/590294
 3.http://python.org/sf/601077
 4.http://distro.conectiva.com.br/bugzilla/show_bug.cgi?id=6595&idioma=en


DIRECT DOWNLOAD LINKS TO THE UPDATED PACKAGES
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/python-1.5.2-14U60_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/python-devel-1.5.2-14U60_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/python-doc-1.5.2-14U60_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/python-idle-1.5.2-14U60_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/tkinter-1.5.2-14U60_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/SRPMS/python-1.5.2-14U60_2cl.src.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/python-2.1-15U70_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/python-devel-2.1-15U70_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/python-doc-2.1-15U70_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/python-freeze-2.1-15U70_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/python-idle-2.1-15U70_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/python-tkinter-2.1-15U70_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/SRPMS/python-2.1-15U70_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/python-2.2-10U80_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/python-devel-2.2-10U80_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/python-doc-2.2-10U80_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/python-freeze-2.2-10U80_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/python-idle-2.2-10U80_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/python-tkinter-2.2-10U80_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/SRPMS/python-2.2-10U80_1cl.src.rpm


ADDITIONAL INSTRUCTIONS
 Users of Conectiva Linux version 6.0 or higher may use apt to perform 
 upgrades of RPM packages:
 - add the following line to /etc/apt/sources.list if it is not there yet
   (you may also use linuxconf to do this):

 rpm [cncbr] ftp://atualizacoes.conectiva.com.br 6.0/conectiva updates

(replace 6.0 with the correct version number if you are not running CL6.0)

 - run:                 apt-get update
 - after that, execute: apt-get upgrade

 Detailed instructions reagarding the use of apt and upgrade examples 
 can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en


- -------------------------------------------------------------------------
All packages are signed with Conectiva's GPG key. The key and instructions
on how to import it can be found at 
http://distro.conectiva.com.br/seguranca/chave/?idioma=en
Instructions on how to check the signatures of the RPM packages can be
found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en
- -------------------------------------------------------------------------
All our advisories and generic update instructions can be viewed at
http://distro.conectiva.com.br/atualizacoes/?idioma=en

- -------------------------------------------------------------------------
subscribe: conectiva-updates-subscribe () papaleguas conectiva com br
unsubscribe: conectiva-updates-unsubscribe () papaleguas conectiva com br
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE9mbaw42jd0JmAcZARAhb6AJ9Uk2m4U9DW1SV/Ed4hMsj1Gge+SwCfevxF
C8XCFcdvnkSvmNyxRSI88FU=
=J9Ma
-----END PGP SIGNATURE-----


  By Date           By Thread  

Current thread:
  • [CLA-2002:527] Conectiva Linux Security Announcement - python secure (Oct 01)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault