Bug 1676376 (CVE-2019-7653) - CVE-2019-7653 python-rdflib: Improper control of generation of code from current working directory
Summary: CVE-2019-7653 python-rdflib: Improper control of generation of code from curr...
Status: NEW
Alias: CVE-2019-7653
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=low,public=20190208,reported=2...
Keywords: Security
Depends On: 1676378 1676379
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-02-12 06:30 UTC by Dhananjay Arunesh
Modified: 2019-02-12 06:33 UTC (History)
4 users (show)

(edit)
Clone Of:
(edit)
Last Closed:


Attachments (Terms of Use)

Description Dhananjay Arunesh 2019-02-12 06:30:22 UTC
The Debian python-rdflib-tools 4.2.2-1 package for RDFLib 4.2.2 has CLI tools
that can load Python modules from the current working directory, allowing code
injection, because "python -m" looks in this directory, as demonstrated by
rdf2dot. This issue is specific to use of the debian/scripts directory.

Reference:
https://bugs.debian.org/921751

Comment 1 Dhananjay Arunesh 2019-02-12 06:32:46 UTC
Created python-rdflib tracking bugs for this issue:

Affects: fedora-all [bug 1676378]

Comment 2 Dhananjay Arunesh 2019-02-12 06:33:06 UTC
Created python-rdflib tracking bugs for this issue:

Affects: epel-all [bug 1676379]


Note You need to log in before you can comment on or make changes to this bug.