According to these links (provided by Jan Lieskovsky in the thread referenced above), Python 2.6 is affected as well. http://www.openwall.com/lists/oss-security/2009/01/28/5 https://bugzilla.redhat.com/show_bug.cgi?id=482814#c1
** Description changed: - Binary package hint: python2.5 - - There's an interesting bug (or feature?) in Python 2.5 and earlier that + There's an interesting bug (or feature?) in Python 2.6 and earlier that affects multiple applications using Python. The bug allows local or user-assisted remote arbitrary code execution. Here is the description of the Python CVE: "Untrusted search path vulnerability in the PySys_SetArgv API function in Python before 2.6 prepends an empty string to sys.path when the argv[0] argument does not contain a path separator, which might allow local users to execute arbitrary code via a Trojan horse Python file in the current working directory." + + (Python 2.6 is vulnerable, too. See the comments.) Affected packages are, at least: CVE-2008-4863 - Blender (already fixed in Ubuntu, I think) CVE-2008-5983 - Python CVE-2008-5984 - Dia CVE-2008-5985 - Epiphany CVE-2008-5986 - Csound CVE-2008-5987 - eog CVE-2009-0314 - gedit CVE-2009-0315 - xchat CVE-2009-0316 - vim CVE-2009-0317 - Nautilus CVE-2009-0318 - Gnumeric I'm not sure which versions of these packages and which Ubuntu releases are actually affected, though. Source and more information: oss-security thread at http://www.openwall.com/lists/oss-security/2009/01/28/2 -- Untrusted search path vulnerability in Python and multiple other programs https://bugs.launchpad.net/bugs/322196 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
