CVE-2008-5983

Python <2.7 - Code Injection

Title source: llm

Description

Untrusted search path vulnerability in the PySys_SetArgv API function in Python 2.6 and earlier, and possibly later versions, prepends an empty string to sys.path when the argv[0] argument does not contain a path separator, which might allow local users to execute arbitrary code via a Trojan horse Python file in the current working directory.

References (23)

[Mailing List, Third Party Advisory] http://lists.fedoraproject.org/pipermail/package-announce/2010-June/042751.html

[Not Applicable] http://secunia.com/advisories/34522

[Not Applicable] http://secunia.com/advisories/40194

[Not Applicable] http://secunia.com/advisories/42888

[Not Applicable] http://secunia.com/advisories/50858

[Not Applicable] http://secunia.com/advisories/51024

[Not Applicable] http://secunia.com/advisories/51040

[Not Applicable] http://secunia.com/advisories/51087

[Third Party Advisory] http://security.gentoo.org/glsa/glsa-200903-41.xml

[Third Party Advisory] http://security.gentoo.org/glsa/glsa-200904-06.xml

[Mailing List] http://www.mail-archive.com/debian-bugs-dist%40lists.debian.org/msg586010.html

[Broken Link] http://www.nabble.com/Bug-484305%3A-bicyclerepair%3A-bike.vim-imports-untrusted-python-files-from-cwd-td18848099.html

[Mailing List, Third Party Advisory] http://www.openwall.com/lists/oss-security/2009/01/26/2

[Mailing List, Third Party Advisory] http://www.openwall.com/lists/oss-security/2009/01/28/5

[Mailing List, Third Party Advisory] http://www.openwall.com/lists/oss-security/2009/01/30/2

[Third Party Advisory] http://www.redhat.com/support/errata/RHSA-2011-0027.html

[Third Party Advisory] http://www.ubuntu.com/usn/USN-1596-1

[Third Party Advisory] http://www.ubuntu.com/usn/USN-1613-1

[Third Party Advisory] http://www.ubuntu.com/usn/USN-1613-2

[Third Party Advisory] http://www.ubuntu.com/usn/USN-1616-1

... and 3 more

Scores

EPSS 0.0012

EPSS Percentile 30.7%

Classification

CWE

CWE-426

Status draft

Affected Products (6)

python/python < 2.6.6

fedoraproject/fedora

canonical/ubuntu_linux

canonical/ubuntu_linux

canonical/ubuntu_linux

canonical/ubuntu_linux

Timeline

Published Jan 28, 2009

Tracked Since Feb 18, 2026