os._execvpe from os.py in Python 2.2.1 and earlier creates temporary files with predictable names, which could allow local users to execute arbitrary code via a symlink attack.

Zack Weinberg discovered an insecure use of a temporary file in os.\_execvpe from os.py. It uses a predictable name which could lead execution of arbitrary code.

This problem has been fixed in several versions of Python: For the current stable distribution (woody) it has been fixed in version 1.5.2-23.1 of Python 1.5, in version 2.1.3-3.1 of Python 2.1 and in version 2.2.1-4.1 of Python 2.2. For the old stable distribution (potato) this has been fixed in version 1.5.2-10potato12 for Python 1.5. For the unstable distribution (sid) this has been fixed in version 1.5.2-24 of Python 1.5, in version 2.1.3-6a of Python 2.1 and in version 2.2.1-8 of Python 2.2. Python 2.3 is not affected by this problem.

We recommend that you upgrade your Python packages immediately.

CVE-2002-1119: Debian -- Security Information -- DSA-159-1 python

The libguile.so library file used by gnucash in Debian GNU/Linux is installed with world-writable permissions.

Tag

#debian