[Python-Dev] FWD: Python execvpe symlink race condition. (original) (raw)

Zack Weinberg zack@codesourcery.com
Sun, 16 Feb 2003 09:56:12 -0800

• Previous message: [Python-Dev] FWD: Python execvpe symlink race condition.
• Next message: [Python-Dev] FWD: Python execvpe symlink race condition.
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Guido van Rossum <guido@python.org> writes:

[Aahz, quoting an anonymous security report]

>> >> It is possible, to create a link of the file to be executed >> >> (t) in the limited time window between the statements >> >> os.path.exists(file) in tempfile.py and execv(t, ('blah',)) in >> >> os.py are executed. [Zack] >> That is exactly the signature of one of the tempfile bugs that I >> fixed. I do not know whether any official 2.2.x release has yet >> occurred that includes the bugfix. [Aahz] > That's what I suspected. Did you check that into the 2.2.x maint > branch? (I remember that you did, but I'm triple-checking.) [Zack] I don't have write privileges. I thought that it was checked into the 2.2.x maint branch but I don't actually know. Zack's changes to tempfile.py were not checked into Python 2.2 -- they require API changes that are difficult to justify. (The changes by Zack that you remember being checked into 2.2 were execve.)

The present report should have been addressed by the execve changes.

zw

• Previous message: [Python-Dev] FWD: Python execvpe symlink race condition.
• Next message: [Python-Dev] FWD: Python execvpe symlink race condition.
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]