Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
SECURITY FIX: Prevent code execution through crafted pyc files
When loading a template from an arbitrary file through the AddTemplate() D-Bus method call or DBusTestCase.spawn_server_template() Python method, don't create or use Python's *.pyc cached files.By tricking a user into loading a template from a world-writable directory like /tmp, an attacker could run arbitrary code with the user's privileges by putting a crafted .pyc file into that directory. Note that this is highly unlikely to actually appear in practice as custom dbusmock templates are usually shipped in project directories, not directly in world-writable directories. Thanks to Simon McVittie for discovering this! LP: #1453815 CVE-2015-1326
- Loading branch information
1 parent
a4bd39f
commit 4e7d0df
Showing
3 changed files
with
28 additions
and
8 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters