Message 231255 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	stephen.farris
Recipients	Guido.van.Rossum, lemburg, stephen.farris
Date	2014-11-16.18:39:00
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1416163141.0.0.643597983294.issue22885@psf.upfronthosting.co.za>
In-reply-to

Content
The dumbdbm module uses an unchecked call to eval() in the _update method, which is called in response to a call to dumbdbm.open(), and is used to load the index from the directory file. This poses a security vulnerability because it allows an attacker to execute arbitrary code on the victim's machine by inserting python code into the DBM directory file. This vulnerability could allow an attacker to execute arbitrary commands on the victim machine, potentially allowing them to deploy malware, gain system access, destroy files and data, expose sensitive information, etc.

The dumbdbm module uses an unchecked call to eval() in the _update method, which is called in response to a call to dumbdbm.open(), and is used to load the index from the directory file.  This poses a security vulnerability because it allows an attacker to execute arbitrary code on the victim's machine by inserting python code into the DBM directory file.  This vulnerability could allow an attacker to execute arbitrary commands on the victim machine, potentially allowing them to deploy malware, gain system access, destroy files and data, expose sensitive information, etc.

History
Date	User	Action	Args
2014-11-16 18:39:01	stephen.farris	set	recipients: + stephen.farris, lemburg, Guido.van.Rossum
2014-11-16 18:39:01	stephen.farris	set	messageid: <1416163141.0.0.643597983294.issue22885@psf.upfronthosting.co.za>
2014-11-16 18:39:00	stephen.farris	link	issue22885 messages
2014-11-16 18:39:00	stephen.farris	create