Untrusted search path vulnerability in rhythmbox Python language binding allows local users to execute arbitrary code via a Trojan horse Python file in the current working directory, related to an erroneous setting of sys.path by the PySys_SetArgv function. References (more details, test case): http://www.nabble.com/Bug-484305%3A-bicyclerepair%3A-bike.vim-imports-untrusted-python-files-from-cwd-td18848099.html Proposed patch: The Debian patch for similar dia's Python related issue, available at: http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=5;filename=pythonpath.diff;att=1;bug=504251 should be sufficient to resolve this issue.
This issue does NOT affect the version of the Rhythmbox package, as shipped with Red Hat Enterprise Linux 4. This issue affects the version of the Rhythmbox package, as shipped with Red Hat Enterprise Linux 5. Comment relevant for fix in RHEL-5: The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ ================================================================================= This issue affects the version of the Rhythmbox package, as shipped with Fedora releases of 9, 10 and devel. Please fix.
More explanation why this issue wasn't fixed in Python yet, can be found here: https://bugzilla.redhat.com/show_bug.cgi?id=482814#c1 here: https://bugzilla.redhat.com/show_bug.cgi?id=482814#c4 and here: https://bugzilla.redhat.com/show_bug.cgi?id=482814#c5 Looks like the Python fix won't come anytime soon, so please fix the issue in the package, till we find the proper Python solution. Ray Strode's test case to check the work of the fix can be found here: https://bugzilla.redhat.com/show_bug.cgi?id=481556#c8
Not a Rhythmbox bug, but a Python one.