GNOME Bugzilla – Bug 569272
gedit: untrusted python modules search path
Last modified: 2010-01-11 21:23:26 UTC
+++ This bug was initially created as a clone of Bug #569214 +++ (From Jan Lieskovsky, https://bugzilla.redhat.com/show_bug.cgi?id=481556) "Untrusted search path vulnerability in gedit's Python module allows local users to execute arbitrary code via a Trojan horse Python file in the current working directory, related to an erroneous setting of sys.path by the PySys_SetArgv function. References: http://www.nabble.com/Bug-484305%3A-bicyclerepair%3A-bike.vim-imports-untrusted-python-files-from-cwd-td18848099.html Debian bug report for similar eog issue: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=504352#4 Proposed patch: Not sure, if gedi'ts upstream has been reported about this issue. The Debian patch for similar eog's Python related issue, available at: http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=5;filename=02_sanitize_sys.path.patch;att=1;bug=504352 should be sufficient to resolve this issue." There's no CVE assigned yet, but one has been requested. The security severity is considered "low".
-> nautilus-python
Created attachment 129446 [details] [review] untested patch (based off of 0.5.1) This is based off of a patch in http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=504251 for Dia. It compiles for me on a Gentoo x86 machine.
This problem has been fixed in the development version. The fix will be available in the next major software release. Thank you for your bug report.