Hi all, here below the mail Jakub sent to d-python yesterday, I'm bouncing it now to d-d now to wider spread and as a notification of an upcoming mbf (if no stop comes it's expected to happen this evening). Please follow the whole thread at [1] for further discussion (and keep d-p in the loop in case of reply)
[1] http://lists.debian.org/20101117215848.ga9...@jwilk.net Cheers, Sandro (this time to the right d-d, sigh) On Wed, Nov 17, 2010 at 22:58, Jakub Wilk <jw...@debian.org> wrote: > A number of packages in the archive sets the PYTHONPATH environment variable > in an insecure way. They do something like: > > PYTHONPATH=/spam/eggs:$PYTHONPATH > > This is wrong, because if PYTHONPATH were originally unset or empty, current > working directory would be added to sys.path. > > These packages are affected: > > a) packages with vulnerable scripts in /usr/bin: > > * calendarserver (1.2.dfsg-8, 2.4.dfsg-2) > * distcc-pump (3.1-3.1) > * gnome-schedule (2.0.2-1.1, 2.1.1-3) > * gnumed-client (0.7.9-1, 0.8.4-1) > * gquilt (0.20-2, 0.22-1) > * guake (0.4.2-1, 0.4.2-2) > * ironpython (2.6~beta2-2) > * mmass (3.8.0-1) > * opendnssec-signer (1.1.0-2, 1.1.3-1) > * pybliographer (1.2.12-3.2, 1.2.14-2) > * pymca (4.4.0-1) > * salome (5.1.3-9) > * snappea (3.0d3-20) > > b) packages with scripts/modules outside PATH (it's not clear if they are > exploitable or not): > > * ibus-anthy (1.2.1-1, 1.2.3-1) > * ibus-skk (0.0.10-1, 1.3.3-1) > * ibus-xkbc (1.3.3.20100804-1) > * python-axiom (0.6.0-2) > * python-epsilon (0.5.9-1) > > c) packages with insecure advices in their documentation or vulnerable > example scripts: > > * python-matplotlib-doc (0.99.3-1) > * python-omniorb-doc (3.3-1) > * python-sqlobject (0.10.2-3, 0.12.4-2) > * python-visual (1:5.12-1.1) > * python-tables-doc (2.0.3-1, 2.1.2-3.1) > * python-uno (1:2.4.1+dfsg-1+lenny8, 1:3.2.1-7, 1:3.3.0~beta2-2) > * python2.7-examples (2.7-9) > * python3.1-examples (3.1.2+20100926-1, 3.1.2+20101012-1) > * python3.2-examples (3.2~a3-1) > * twisted-doc (8.1.0-4, 10.1.0-3) > > Full log and dd-list are attached. > > Any volunteers to file bugs? :) > > (The security team was contacted beforehand and they agreed to disclose > these bugs. This message was bcc-ed to the testing security team.) > > -- > Jakub Wilk > -- Sandro Tosi (aka morph, morpheus, matrixhasu) My website: http://matrixhasu.altervista.org/ Me at Debian: http://wiki.debian.org/SandroTosi -- To UNSUBSCRIBE, email to debian-python-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/aanlkti=qzze6t4oskh3j4mvagys=snkpoclw6fj5o...@mail.gmail.com
