On 28/11/10 08:38, Sandro Tosi wrote:
Package: gquilt Version: 0.22-1 Severity: grave Tags: security User: [email protected] Usertags: pythonpathJakub Wilk performed an analysis[1] for packages setting PYTHONPATH in an insecure way. Those packages do something like: PYTHONPATH=/spam/eggs:$PYTHONPATH This is wrong, because if PYTHONPATH were originally unset or empty, current working directory would be added to sys.path. [1] http://lists.debian.org/debian-python/2010/11/msg00045.html Your package turns out to have vulnerable scripts in PATH: you can find a complete log at [2]. [2] http://people.debian.org/~morph/mbf/pythonpath.txt Some guidelines on how to fix these bugs: in the case given above, you can use something like PYTHONPATH=/spam/eggs${PYTHONPATH:+:$PYTHONPATH} (If you don't known this construct, grep for "Use Alternative Value" in the bash/dash manpage.) Also, in cases like PYTHONPATH=/usr/lib/python2.5/site-packages/:$PYTHONPATH or PYTHONPATH=$PYTHONPATH:$SPAMDIR exec python $SPAMDIR/spam.py you shouldn't need to touch PYTHONPATH at all. Feel free to contact [email protected] in case of help.
Please update to gquilt-0.24 (released about 7 weeks ago) as the above problem is no longer present in the code.
Peter -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
