* Mike Hommey <m...@glandium.org>, 2010-11-18, 12:17:
A number of packages in the archive sets the PYTHONPATH environment
variable in an insecure way. They do something like:
PYTHONPATH=/spam/eggs:$PYTHONPATH
This is wrong, because if PYTHONPATH were originally unset or empty,
current working directory would be added to sys.path.
I wonder if this class of vulnerabilities (inc the LD_LIBRARY_PATH
ones) could be automatically warned about by lintian.
This is bug #451559. I guess it will be tricky to implement reliably.
I wonder if this wouldn't be our duty to remove the possibility of
these vulnerabilities at all. Who relies on these PATH variables
features to include the current directory instead of adding "." ? Why
don't we fix python, ld.so and other stuff doing the same such that
empty entries are skipped ?
http://seclists.org/oss-sec/2010/q3/446
I don't know if "next stable release" means squeeze or wheezy here. IMO
it's too late for such changes for squeeze.
--
Jakub Wilk
--
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20101122134515.ga6...@jwilk.net
