On Sun, Feb 24, 2002 at 03:34:46PM +1100, Donovan Baarda wrote:
...
> OK, I got creative and figured out a way the python-central could work
> without using an emac's style registry, instead just using the existing dpkg
> "Depends:" information.
> Comments welcome. This one is a bit more tested than the last.
Great, way to go and all that. But please, could you be more carefull
not to introduce security hassels?
I haven't looked very carefull, besides I don't know enough of shell
scripting to really get out all the security things, but the following
seemed to obvious even for me to overlook.
> for p in `dpkg -S /usr/lib/python/site-packages 2>/dev/null | sed
> 's#,\|:.*$##g'`; do
> if dpkg -s $p | egrep "^Depends:.* $PYTHONXY([ ,]|$)" >/dev/null
> 2>&1; then
Are you sure all package names are sane? Or could some joker distribute a
(non official ofcourse) python package with a name just waiting to exploit
this unsanitized use of its name in a script running as root?
> # get_versions <package name>
> # return installed versions of python supported by the python package
> get_versions () {
> DEPENDS=`dpkg -s $1 | grep "^Depends:" | cut -d: -f2`
And here again $1 is not sanitized:(
Maybe I'm overreacting, but I prefer debian to be rock solid and
secure by default.
--
groetjes, carel
