|0001 SECURITY FIX Prevent code execution through crafted .patch | (download)
13 5 + 8 - 0 !
10 10 + 0 - 0 !
2 files changed, 15 insertions(+), 8 deletions(-)
security fix: prevent code execution through crafted pyc files
When loading a template from an arbitrary file through the AddTemplate() D-Bus
method call or DBusTestCase.spawn_server_template() Python method, don't create
or use Python's *.pyc cached files.By tricking a user into loading a template
from a world-writable directory like /tmp, an attacker could run arbitrary code
with the user's privileges by putting a crafted .pyc file into that directory.
Note that this is highly unlikely to actually appear in practice as custom
dbusmock templates are usually shipped in project directories, not directly in
Thanks to Simon McVittie for discovering this!