Register | Log in

restrictedpython

Restricted execution environment for Python 3

Choose email to subscribe with

general

source: restrictedpython (main)
version: 8.1-1
maintainer: Debian Python Team (DMD)
uploaders: Christoph Berg [DMD] – Diwa Tomy [DMD]
arch: all
std-ver: 4.7.2
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 4.0~b3-2
oldstable: 4.0~b3-3
stable: 8.0-1
testing: 8.1-1
unstable: 8.1-1

versioned links

4.0~b3-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
4.0~b3-3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
8.0-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
8.1-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

python3-restrictedpython

action needed

version in VCS is newer than in repository, is it time to upload? normal

vcswatch reports that this package seems to have a new changelog entry (version 8.1-2, distribution UNRELEASED) and new commits in its VCS. You should consider whether it's time to make an upload.

Here are the relevant commit messages:

commit 00e8a67a483c2394feb7c7b990f41aee0a88e0cb
Author: Christoph Berg <myon@debian.org>
Date:   Fri Nov 7 11:15:19 2025 +0100

    Remove myself from Uploaders.

Created: 2025-11-07 Last update: 2025-11-13 14:31

3 low-priority security issues in bookworm low

There are 3 open security issues in bookworm.

3 issues left for the package maintainer to handle:

CVE-2023-37271: (needs triaging) RestrictedPython is a tool that helps to define a subset of the Python language which allows users to provide a program input into a trusted environment. RestrictedPython does not check access to stack frames and their attributes. Stack frames are accessible within at least generators and generator expressions, which are allowed inside RestrictedPython. Prior to versions 6.1 and 5.3, an attacker with access to a RestrictedPython environment can write code that gets the current stack frame in a generator and then walk the stack all the way beyond the RestrictedPython invocation boundary, thus breaking out of the restricted sandbox and potentially allowing arbitrary code execution in the Python interpreter. All RestrictedPython deployments that allow untrusted users to write Python code in the RestrictedPython environment are at risk. In terms of Zope and Plone, this would mean deployments where the administrator allows untrusted users to create and/or edit objects of type `Script (Python)`, `DTML Method`, `DTML Document` or `Zope Page Template`. This is a non-default configuration and likely to be extremely rare. The problem has been fixed in versions 6.1 and 5.3.
CVE-2023-41039: (needs triaging) RestrictedPython is a restricted execution environment for Python to run untrusted code. Python's "format" functionality allows someone controlling the format string to "read" all objects accessible through recursive attribute lookup and subscription from objects he can access. This can lead to critical information disclosure. With `RestrictedPython`, the format functionality is available via the `format` and `format_map` methods of `str` (and `unicode`) (accessed either via the class or its instances) and via `string.Formatter`. All known versions of `RestrictedPython` are vulnerable. This issue has been addressed in commit `4134aedcff1` which has been included in the 5.4 and 6.2 releases. Users are advised to upgrade. There are no known workarounds for this vulnerability.
CVE-2024-47532: (needs triaging) RestrictedPython is a restricted execution environment for Python to run untrusted code. A user can gain access to protected (and potentially sensible) information indirectly via AttributeError.obj and the string module. The problem will be fixed in version 7.3. As a workaround, If the application does not require access to the module string, it can remove it from RestrictedPython.Utilities.utility_builtins or otherwise do not make it available in the restricted execution environment.

You can find information about how to handle these issues in the security team's documentation.

Created: 2023-07-14 Last update: 2025-11-09 03:01

news

[2025-11-09] restrictedpython 8.1-1 MIGRATED to testing (Debian testing watch)
[2025-11-07] Accepted restrictedpython 8.1-1 (source) into unstable (Diwa Tomy) (signed by: Emmanuel Arias)
[2025-01-30] restrictedpython 8.0-1 MIGRATED to testing (Debian testing watch)
[2025-01-27] Accepted restrictedpython 8.0-1 (source) into unstable (Colin Watson)
[2023-09-10] restrictedpython 6.2-1 MIGRATED to testing (Debian testing watch)
[2023-09-04] Accepted restrictedpython 6.2-1 (source) into unstable (Christoph Berg)
[2023-09-02] restrictedpython REMOVED from testing (Debian testing watch)
[2021-12-28] restrictedpython 4.0~b3-3 MIGRATED to testing (Debian testing watch)
[2021-12-22] Accepted restrictedpython 4.0~b3-3 (source) into unstable (Christoph Berg)
[2018-09-26] restrictedpython 4.0~b3-2 MIGRATED to testing (Debian testing watch)
[2018-09-24] Accepted restrictedpython 4.0~b3-2 (source) into unstable (Mattia Rizzolo)
[2018-04-22] restrictedpython 4.0~b3-1 MIGRATED to testing (Debian testing watch)
[2018-04-16] Accepted restrictedpython 4.0~b3-1 (source) into unstable (Christoph Berg)
[2018-02-04] restrictedpython 4.0~b2-1 MIGRATED to testing (Debian testing watch)
[2018-01-29] Accepted restrictedpython 4.0~b2-1 (source all) into unstable, unstable (Christoph Berg)

bugs [bug history graph]

all: 0

links

homepage
lintian
buildd: logs, reproducibility
popcon
browse source code
edit tags
other distros
security tracker
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 8.1-1
1 bug

Debian Package Tracker — Copyright 2013-2025 The Distro Tracker Developers

Report problems to the tracker.debian.org pseudo-package in the Debian BTS.

Documentation — Bugs — Git Repository — Contributing