--- /dev/null
+* Python mode will not inappropriately load modules in the current directory.
+ Patch: fix-python-module-handling-cve-2008-3949.diff
+ Provided-by: Chong Yidong <cyd@stupidchicken.com>
+ Originally-reported-by: Sven Joachim <svenjoac@gmx.de>
+ Date: Fri, 19 Sep 2008 23:06:33 +0200
+ Added-by: Rob Browning <rlb@defaultvalue.org>
+ Status: incorporated upstream
+
+ Chong Yidong <cyd@stupidchicken.com> describes the problem as
+ follows:
+
+ The Emacs command `run-python' launches an interactive Python
+ interpreter. After the Python process starts up, Emacs
+ automatically sends it the line
+
+ import emacs
+
+ which normally imports a script named emacs.py which is
+ distributed with Emacs. This script, which is typically located
+ in a write-protected installation directory with other Emacs
+ program files, defines various functions to help the Python
+ process communicate with Emacs.
+
+ The vulnerability arises because Python, by default, prepends ''
+ to the module search path, so modules are looked for in the
+ current directory. If the current directory is world-writable, an
+ attacker may insert malicious code by adding a fake Python module
+ named emacs.py into that directory.
+
+ Furthermore, emacs.py imports other non-built-in Python modules,
+ such as `inspect'. The same vulnerability exists for these import
+ statements.
+
+ By default, merely visiting and editing a *.py source file does
+ not launch a Python subprocess; you either have to call `M-x
+ run-python', or enable Emacs code that calls `run-python'
+ automatically, such as `eldoc-mode'.
+
+ The Python developers, in a private communication, have stated
+ that they do not regard this module-importing behavior as a
+ security problem for Python per se, because running a python
+ script in a world-writable directory is itself a security hazard.
+ In the Emacs context, however, it's much less obvious that it's
+ unsafe to call `run-python' while the current directory is
+ world-writable; therefore, the problem discussed here can be
+ regarded as a security risk.
+
+ The fix adds arguments to the invocation of Python which remove ''
+ from sys.path. Since sys is a built-in module, it cannot be
+ overriden via the current directory before this code executes.
+
+Index: sid/lisp/progmodes/python.el
+===================================================================
+--- sid.orig/lisp/progmodes/python.el
++++ sid/lisp/progmodes/python.el
+@@ -1355,7 +1355,9 @@
+ ;; invoked. Would support multiple processes better.
+ (when (or new (not (comint-check-proc python-buffer)))
+ (with-current-buffer
+- (let* ((cmdlist (append (python-args-to-list cmd) '("-i")))
++ (let* ((cmdlist
++ (append (python-args-to-list cmd)
++ '("-i" "-c" "import sys; sys.path.remove('')")))
+ (path (getenv "PYTHONPATH"))
+ (process-environment ; to import emacs.py
+ (cons (concat "PYTHONPATH=" data-directory
projects / emacs.git / commitdiff