Menu
▾
▴
[Gmailagent-devel] Re: ATTENTION: very serious security bug in libgmail
|
From: Stas Z <sta...@gm...> - 2005-09-19 10:25:47
|
On 9/19/05, follower <fol...@my...> wrote: > > > Please check the libgmail version currently in CVS because we must rele= ase > > as soon as possible. > I think it would be best to avoid "exec" too--there's really no way to > safely handle arbitrary code in Python. (Hence the removal of the rexec > module.) It would be better to use a simple parser. I agree, but we use exec to parse the javascript from the Gmail pages. This way we only have a problem when the Gmail developers add malicious javascript. None the less, I know exec can be a problem but at this moment it's a lot safer then the former solution. =20 > I can't give the code a thorough look through at the moment... >=20 > > PS, Because this bug has such a high risk, especially on Windows, I sug= gest > > that we don't make the exploit code public. At least not for a few week= s. > Do as you see fit, but I think we should say people should stop using > previous versions and upgrade immediately. I meant not to disclose the actual way to exploit this. It's *very* importa= nt indeed to inform our users about the problem. BTW, the actual exploit *and* solution came from Andrew. Stas --=20 A nation that continues year after year to spend more money on military def= ense than on programs of social uplift is approaching spiritual doom. Martin Luther King, Jr. |
