az(1) can't be used securely when the current working directory is untrusted (e.g. /tmp), because it loads code from cwd. References: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1005251
Created azure-cli tracking bugs for this issue: Affects: fedora-35 [bug 2053193]
Thanks, Pedro. I'm taking a look to see what we can do.
As noted in the Debian ticket, writing out an `azure.py` file causes potentially malicious files in the current directory to be imported. However, by dropping the local directory from `sys.path` and using runpy (as suggested), this appears to work: ``` #!/usr/bin/env python3 import sys import runpy # Remove the current working directory from the list of import paths. sys.path = sys.path[1:] # Use runpy to run the cli module.. runpy.run_module('azure.cli') ```
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.