How to decide which module is in charge of this error? cx-Freeze or pynput or six?

2020-01-09 Thread jfong 
Takes the simple\hello.py file in the cx_Freeze\samples directory as an 
example, I insert this line into hello.py:

from pynput.keyboard import Key, Controller

then build the executable using "py setup.py build" command, the on-screen 
message shows this missing module warning:

...
Missing modules:
...
? six.moves imported from pynput._util
...

Run the created hello.exe will cause this error:

...
from pynput._util import Events
  File "C:\Users\jfong\AppData\Local\Programs\Python\Python36-32\lib\site-
packages\pynput\_util\__init__.py", line 33, in 
from six.moves import queue
  File 
"C:\Users\jfong\AppData\Local\Programs\Python\Python36-32\lib\site-packages\six.py",
 line 92, in __get__
result = self._resolve()
  File 
"C:\Users\jfong\AppData\Local\Programs\Python\Python36-32\lib\site-packages\six.py",
 line 115, in _resolve
return _import_module(self.mod)
  File 
"C:\Users\jfong\AppData\Local\Programs\Python\Python36-32\lib\site-packages\six.py",
 line 82, in _import_module
__import__(name)
ModuleNotFoundError: No module named 'queue'

If I change line 33 in file pynput\_util\__init__.py
from six.moves import queue
to
import queue
and re-build, then that missing warning is gone and hello.exe excutes correctly.

My question is how to decide which module causes this problem?

PS. My environment is Windows 8.1, Python 3.6.8, cx-Freeze 5.1.1, pynput 1.6.5, 
six 1.13.0. I had try to upgrade the cx-Freeze to the latest v6.1 but result is 
the same.

--Jach
-- 
https://mail.python.org/mailman/listinfo/python-list

Re: Coding technique: distinguish using type or abc?

2020-01-09 Thread Marko Rauhamaa 
r...@zedat.fu-berlin.de (Stefan Ram):
> if type( object ) is list:

I would recommend isinstance() because:

   >>> isinstance(True, int)
   True
   >>> type(True) is int
   False


Marko
-- 
https://mail.python.org/mailman/listinfo/python-list

[ANN] PyInstaller 3.6

2020-01-09 Thread Hartmut Goebel 
Hello,

on behalf of the PyInstaller development team I'm happy to announce
PyInstaller 3.6.

This version fixes a Local Privilege Escalation vulnerability effecting all 
Windows software frozen
by PyInstaller in "onefile" mode - no matter which version of PyInstaller was 
used.

   http://www.pyinstaller.org


Thanks for all those who contributed questions, bug-reports or
pull-requests.


PyInstaller is in urgent need of funding to make future security fixes
happen, see  for
details.


=== What it is ===

PyInstaller bundles a Python application and all its dependencies into a
single package. The user can run the packaged app without installing a
Python interpreter or any modules.

PyInstaller reads a Python script written by you. It analyzes your code to
discover every other module and library your script needs in order to
execute.
Then it collects copies of all those files – including the active Python
interpreter! – and puts them with your script in a single folder, or
optionally in a single executable file.

PyInstaller is tested against Windows, Mac OS X, and Linux. However, it
is not a cross-compiler: to make a Windows app you run PyInstaller in
Windows; to make a Linux app you run it in Linux, etc. PyInstaller has
been used successfully with AIX, Solaris, and FreeBSD, but is not tested
against them.


=== Help keeping PyInstaller alive ===

Maintaining PyInstaller is a huge amount of work.
PyInstaller development can only continue
if users and companies provide sustainable funding.
Please consider recurring donations.
See http://www.pyinstaller.org/funding.html for how
to support PyInstaller.


=== Installation ===

PyInstaller can be installed from PyPi using

   pip install pyinstaller

=== Important Changes ===

* Fixes a Local Privilege Escalation vulnerability effecting all Windows
  software frozen vy PyInstaller in "onefile" mode.


* More then 20 hooks added, more then 15 hooks fixed or improved.

* More then 20 bugs fixed.

* Python 3.4 is no longer tested, since this version is
  end-of-life already.

The full changelog for this release can be found at:

   https://pyinstaller.readthedocs.io/en/v3.6/CHANGES.html


=== Feedback ===

We're eager to listen to your feedback on using PyInstaller:

 Bug tracker: https://github.com/pyinstaller/pyinstaller/issues
 Mailing list: http://groups.google.com/group/PyInstaller

-- 
Schönen Gruß
Hartmut Goebel
Dipl.-Informatiker (univ), CISSP, CSSLP, ISO 27001 Lead Implementer
Information Security Management, Security Governance, Secure Software
Development

Goebel Consult, Landshut
http://www.goebel-consult.de

Blog:
http://www.goebel-consult.de/blog/warum-sie-nicht-perl-programmiern-sollten
Kolumne: http://www.cissp-gefluester.de/2012-02-bring-your-own-life-glosse

-- 
https://mail.python.org/mailman/listinfo/python-list

[ANN][SECURITY] Local Privilege Escalation in all Windows software frozen by PyInstaller in "onefile" mode

2020-01-09 Thread Hartmut Goebel 
Severity: high: CVSSv3 score: 7.0
Packages: PyInstaller (Windows)
Affected versions:  <= 3.5
Patched versions: 3.6, available at https://pypi.org/project/PyInstaller/
CVE identifier: CVE-2019-16784


  Impact

*Local Privilege Escalation *in all *Windows software frozen by
PyInstaller* in "onefile" mode, caused by insecure directory permissions
of sys._MEIPATH.

While PyInstaller itself was not vulnerable, *all Windows software
frozen by PyInstaller in “onefile” mode is vulnerable.*

The vulnerability is present only on Windows and in this particular
case: If a /software frozen by PyInstaller in "onefile" mode/**is
launched by a (privileged) user who has /his/her "TempPath" resolving to
a world writable directory/. This is the case e.g. if the software is
launched as a service or as a scheduled task using a system account (in
which case TempPath will default to C:\Windows\Temp).

In order to be exploitable the software has to be (re)started after the
attacker has launched the exploit program. So for a service launched at
startup, a service restart is needed (e.g. after a crash or an upgrade).

While PyInstaller itself was not vulnerable, all Windows software frozen
by PyInstaller in "onefile" mode is vulnerable.

CVSSv3 score: 7.0 (High)
CVSSv3 vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H


  Patches

The problem is patched in commits 42a67148b3bdf9 (fixed code)

and be948cf09547 (recompiled bootloaders)
.
Users should upgrade to PyInstaller version 3.6 and rebuild their
software. The new version is available at
https://pypi.org/project/PyInstaller/


  Workarounds

There is no known workaround: Users using PyInstaller to freeze their
Windows software using "onefile" mode should upgrade PyInstaller and
rebuild their software. The new version is available at
https://pypi.org/project/PyInstaller/


  Credits

This vulnerability was discovered and reported by Farid AYOUJIL
(@faridtsl), David HA, Florent LE NIGER and Yann GASCUEL (@lnv42) from
Alter Solutions (@AlterSolutions) and fixed in collaboration with
Hartmut Goebel (@htgoebel, maintainer of PyInstaller).


  Funding Development

PyInstaller is in urgent need of funding to make future security fixes
happen, see  for
details.

-- 
Schönen Gruß
Hartmut Goebel
Dipl.-Informatiker (univ), CISSP, CSSLP, ISO 27001 Lead Implementer
Information Security Management, Security Governance, Secure Software
Development

Goebel Consult, Landshut
http://www.goebel-consult.de

Blog: https://www.goe-con.de/blog/e-mails-weiterhin-verschlusseln
Kolumne:
https://www.goe-con.de/hartmut-goebel/cissp-gefluester/2010-11-it-sicherheit-im-unternehmen-eine-interne-oder-externe-angelegenheit


-- 
https://mail.python.org/mailman/listinfo/python-list