DescriptionUntrusted search path vulnerability in the PySys_SetArgv API function in Python 2.6 and earlier, and possibly later versions, prepends an empty string to sys.path when the argv[0] argument does not contain a path separator, which might allow local users to execute arbitrary code via a Trojan horse Python file in the current working directory.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs572010, 575780

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs


[etch] - python2.5 <no-dsa> (Minor issue)
[lenny] - python2.5 <no-dsa> (Minor issue)
[squeeze] - python2.5 <no-dsa> (Minor issue, patch only introduces a new, more secure API)
[etch] - python2.4 <no-dsa> (Minor issue)
[lenny] - python2.4 <no-dsa> (Minor issue)
I suppose the behaviour will be changed in a future Python release, but
a backport has a significant risk of breakage for little gain. If a
proper upstream patch should be available, this can be re-evaluated

Search for package or bug name: Reporting problems