Description
It was found that many applications embedding the Python interpreter did
not specify a valid full path to the script or application when calling the
PySys_SetArgv API function, which could result in the addition of the
current working directory to the module search path (sys.path). A local
attacker able to trick a victim into running such an application in an
attacker-controlled directory could use this flaw to execute code with the
victim's privileges. This update adds the PySys_SetArgvEx API. Developers
can modify their applications to use this new API, which sets sys.argv
without modifying sys.path. (CVE-2008-5983)
Multiple flaws were found in the Python rgbimg module. If an application
written in Python was using the rgbimg module and loaded a
specially-crafted SGI image file, it could cause the application to crash
or, possibly, execute arbitrary code with the privileges of the user
running the application. (CVE-2009-4134, CVE-2010-1449, CVE-2010-1450)
Multiple flaws were found in the Python audioop module. Supplying certain
inputs could cause the audioop module to crash or, possibly, execute
arbitrary code. (CVE-2010-1634, CVE-2010-2089)