2 security-related blocker tickets need review

25 views
Skip to first unread message

Jeroen Demeyer

unread,
Oct 14, 2012, 5:17:38 PM10/14/12
to sage-devel
There are 2 *blocker* tickets for the sage-5.4 release and since these
are security-related, I absolutely think these must be fixed. I'm open
for discussing /how/ they should be fixed, but not /whether/ they should
be fixed. Both tickets put users running Sage (in particular doctests)
at risk from evil users on their system, so this is a huge concern for
shared systems.

#13579: Python sys.path security risk
This is the ticket which has been discussed a lot. I absolutely think
we should fix Python's bad sys.path behaviour. There is a patch up for
review at
http://trac.sagemath.org/sage_trac/ticket/13579

#13595: LD_LIBRARY_PATH potential security risk
In Sage, LD_LIBRARY_PATH ends with ":", which means the current working
directory will be searched also. This must be fixed because of obvious
security dangers.
Reply all
Reply to author
Forward
0 new messages