Your message dated Tue, 30 Nov 2010 13:47:46 +0000
with message-id <[email protected]>
and subject line Bug#605160: fixed in pymca 4.4.1p1-1
has caused the Debian Bug report #605160,
regarding pymca: Use of PYTHONPATH env var in an insecure way
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
605160: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=605160
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: pymca
Version: 4.4.0-1
Severity: grave
Tags: security
User: [email protected]
Usertags: pythonpath
Jakub Wilk performed an analysis[1] for packages setting PYTHONPATH in
an insecure way. Those packages do something like:
PYTHONPATH=/spam/eggs:$PYTHONPATH
This is wrong, because if PYTHONPATH were originally unset or empty,
current working directory would be added to sys.path.
[1] http://lists.debian.org/debian-python/2010/11/msg00045.html
Your package turns out to have vulnerable scripts in PATH: you can
find a complete log at [2].
[2] http://people.debian.org/~morph/mbf/pythonpath.txt
Some guidelines on how to fix these bugs: in the case given above, you
can use something like
PYTHONPATH=/spam/eggs${PYTHONPATH:+:$PYTHONPATH}
(If you don't known this construct, grep for "Use Alternative Value"
in the bash/dash manpage.)
Also, in cases like
PYTHONPATH=/usr/lib/python2.5/site-packages/:$PYTHONPATH
or
PYTHONPATH=$PYTHONPATH:$SPAMDIR exec python $SPAMDIR/spam.py
you shouldn't need to touch PYTHONPATH at all.
Feel free to contact [email protected] in case of
help.
--- End Message ---
--- Begin Message ---
Source: pymca
Source-Version: 4.4.1p1-1
We believe that the bug you reported is fixed in the latest version of
pymca, which is due to be installed in the Debian FTP archive:
pymca-data_4.4.1p1-1_all.deb
to main/p/pymca/pymca-data_4.4.1p1-1_all.deb
pymca_4.4.1p1-1.debian.tar.gz
to main/p/pymca/pymca_4.4.1p1-1.debian.tar.gz
pymca_4.4.1p1-1.dsc
to main/p/pymca/pymca_4.4.1p1-1.dsc
pymca_4.4.1p1-1_amd64.deb
to main/p/pymca/pymca_4.4.1p1-1_amd64.deb
pymca_4.4.1p1.orig.tar.gz
to main/p/pymca/pymca_4.4.1p1.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Teemu Ikonen <[email protected]> (supplier of updated pymca package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Tue, 30 Nov 2010 12:32:47 +0100
Source: pymca
Binary: pymca pymca-data
Architecture: source all amd64
Version: 4.4.1p1-1
Distribution: unstable
Urgency: low
Maintainer: Debian Science Maintainers
<[email protected]>
Changed-By: Teemu Ikonen <[email protected]>
Description:
pymca - Python applications and toolkit for X-ray fluorescence analysis
pymca-data - Architecture independent data files for PyMca
Closes: 605160
Changes:
pymca (4.4.1p1-1) unstable; urgency=low
.
* New upstream version.
- Fixes setting PYTHONPATH in scripts (closes: #605160).
- Includes the specfile module locale fixes, so removing patch
03_specfile-locale.
- Does not include .pyc files in the orig.tar, so removing code
in 'debian/rules' for preserving them during the build.
* Patch 03_postbatch: Remove starting blank line from pymcapostbatch
script to allow correct distutils #! replacement.
Checksums-Sha1:
028cac28d85d9900a44146613b68b33c2eb71c8a 1330 pymca_4.4.1p1-1.dsc
c0d08e0e2904c1db1bb23ba828c977c1b8b8b295 9712721 pymca_4.4.1p1.orig.tar.gz
fab18e81d0d5ca6fc9ca964fff0b4eb3f83e2755 16537 pymca_4.4.1p1-1.debian.tar.gz
b075db75d67b9ab17db9d235a417e541f5d9e8ec 7965730 pymca-data_4.4.1p1-1_all.deb
ccf156b2a2ccd5fac3caebb54611470fd73a3f03 1752448 pymca_4.4.1p1-1_amd64.deb
Checksums-Sha256:
42814ab28157eff9a606578a1f4a4e56df08b7d54dab5e08e0dc7a5f01cf4e1c 1330
pymca_4.4.1p1-1.dsc
5cd1c739bc27f0b36776d8bb65f30745c670fa3a47e24b02a37f528d9c1659f8 9712721
pymca_4.4.1p1.orig.tar.gz
c1200aab5a580661dbc11ceffd2e6137ae49fbde8ad614aec1ec1bf5cdfc53de 16537
pymca_4.4.1p1-1.debian.tar.gz
0efab8522fdf2574e8eb0f5f8f565058935c7101c507967656a633a6195918c2 7965730
pymca-data_4.4.1p1-1_all.deb
61fe0adc0bd4dcf878d10d87d71595032fbdbd6ab8ee3799a0635495e2863960 1752448
pymca_4.4.1p1-1_amd64.deb
Files:
d9e2b44902efa29cf1afcbb73ee4f5bf 1330 science extra pymca_4.4.1p1-1.dsc
92d77e55975c27c8693356a567e95d28 9712721 science extra
pymca_4.4.1p1.orig.tar.gz
41fded8b4d29310eb749c08256684c92 16537 science extra
pymca_4.4.1p1-1.debian.tar.gz
aaa79c95797e1fd5949fc80fc60188ed 7965730 science extra
pymca-data_4.4.1p1-1_all.deb
4bd3655df03ba20a3096da2943fef456 1752448 science extra
pymca_4.4.1p1-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iD8DBQFM9PZJYDBbMcCf01oRAm9SAJ4zoyEaQJQ1ueYVWe7tNg5ZlGpCCwCdFlTF
M3AlLtCM5DRAc53gwl69vRo=
=J38l
-----END PGP SIGNATURE-----
--- End Message ---
