[Secure-testing-team] Bug#504363: epiphany-browser: Python plugins load modules from current directory

[James Vega]

Package: ephiphany-browser
Version: 2.22.3-6
Severity: grave
Tags: security patch upstream
Justification: user security hole
Usertags: pythonpath

Epiphany's python interface calls PySys_SetArgv with an argv[0] that
doesn't resolve to a filename.  This causes Python to prepend sys.path
with an empty string which, due to the use of relative imports, allows
the possibility to run arbitrary code on the user's system if a file in
their working directory matches the name of a python module epiphany
tries to import.

This should be fixed by Python 2.6 as it uses absolute imports by
default, but I have not been able to test it and this still needs a fix
for packages built against/used with the currently supported versions of
Python.

-- 
James
GPG Key: 1024D/61326D40 2003-09-02 James Vega <jamessan at debian.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: sanitize_sys.path.diff
Type: text/x-diff
Size: 311 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20081102/98f0fcea/attachment-0001.diff 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20081102/98f0fcea/attachment-0001.pgp