Bug#605193: python-uno: Use of PYTHONPATH env var in an insecure way

To: maintonly@bugs.debian.org
Subject: Bug#605193: python-uno: Use of PYTHONPATH env var in an insecure way
From: Sandro Tosi <morph@debian.org>
Date: Sat, 27 Nov 2010 22:45:58 +0000
Message-id: <[🔎] E1PMTWo-000317-2g@ravel.debian.org>
Reply-to: Sandro Tosi <morph@debian.org>, 605193-maintonly@bugs.debian.org

Package: python-uno
Version: 1:3.3.0~beta2-2
Severity: important
Tags: security
User: debian-python@lists.debian.org
Usertags: pythonpath

Jakub Wilk performed an analysis[1] for packages setting PYTHONPATH in
an insecure way. Those packages do something like:

    PYTHONPATH=/spam/eggs:$PYTHONPATH

This is wrong, because if PYTHONPATH were originally unset or empty,
current working directory would be added to sys.path.

[1] http://lists.debian.org/debian-python/2010/11/msg00045.html

Your package turns out to ship vulnerable examples or contains
insecure advices: you can find a complete log at [2].

[2] http://people.debian.org/~morph/mbf/pythonpath.txt

Some guidelines on how to fix these bugs: in the case given above, you
can use something like

    PYTHONPATH=/spam/eggs${PYTHONPATH:+:$PYTHONPATH}

(If you don't known this construct, grep for "Use Alternative Value"
in the bash/dash manpage.)

Also, in cases like

   PYTHONPATH=/usr/lib/python2.5/site-packages/:$PYTHONPATH

or

   PYTHONPATH=$PYTHONPATH:$SPAMDIR exec python $SPAMDIR/spam.py

you shouldn't need to touch PYTHONPATH at all.

Feel free to contact debian-python@lists.debian.org in case of
help.

Reply to:

Prev by Date: Bug#605181: python-uno: Use of PYTHONPATH env var in an insecure way
Next by Date: Processed: merge them all
Previous by thread: Bug#605181: python-uno: Use of PYTHONPATH env var in an insecure way
Next by thread: Processed: merge them all
Index(es):
- Date
- Thread