Zack Weinberg found a vulnerability in the way the exevpe() method
from the os.py module uses a temporary file name. A file which
supposedly should not exist is created in a unsafe way and the method
tries to execute it. The objective of such code is to discover what
error the operating system returns in a portable way.
By exploiting this vulnerability a local attacker can execute
arbitrary code with the privileges of the user running python code
which uses the execvpe() method.
http://python.org/sf/590294http://python.org/sf/601077
size is not adequate for some of the complex processing that Zope
does, and -fPIC was aggravating that condition. Now, if we're using
shared libs, up the stack size to 128k.
Also remove some stray files that never should have been committed
in the first place.
Major changes:
- no more threads flavor, threads is now the default.
- subpackage modules that depend on other packages instead of having
largely redundant flavors (unless platform has no shared libs, then
flavors count again)
- shared libpython stuff disabled until someone can figure out why
it makes Zope crash