[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: rdflib / CVE-2019-7653

Brian May wrote:

> > Hm, does this not still omit the rationale for the non-trivial changes
> > to the build system? Or at least it doesn't make the connection very
> > obvious to someone installing the package.
> + * CVE-2019-7653: The Debian package had a custom wrapper that can load
> + Python modules from the current working directory, allowing code 
> injection.
> + This is because "python -m" looks in this directory. This version uses 
> the
> + easy_install provided scripts instead of our our custom scripts.
> If this is not sufficient, can you suggest something better?

Something that at least references why the build/runtime moves to
Python 3.x (or whatever). Running out of ways to try and explain
this angle. :)


     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org 🍥 chris-lamb.co.uk

Reply to: