Bug#605178: python-uno: Use of PYTHONPATH env var in an insecure way
found 605178 1:3.2.1-7
found 605178 1:2.4.1+dfsg-1+lenny8
severity 605178 minor
thanks
On Sat, Nov 27, 2010 at 10:45:58PM +0000, Sandro Tosi wrote:
> Version: 1:3.3.0~beta2-2
If the log says 2.4.1 and 3.2.1, too, why did you file it only against
1:3.3.0~beta2-2? :)
> Severity: important
Well, it's a demo and it's a *tcsh* script....
I'd call it minor...
> Tags: security
See above.
> Your package turns out to ship vulnerable examples or contains
> insecure advices: you can find a complete log at [2].
It's the second...
> [2] http://people.debian.org/~morph/mbf/pythonpath.txt
If the log says 2.4.1 and 3.2.1, too, why did you file it only against
1:3.3.0~beta2-2? :)
> Some guidelines on how to fix these bugs: in the case given above, you
> can use something like
>
> PYTHONPATH=/spam/eggs${PYTHONPATH:+:$PYTHONPATH}
>
> (If you don't known this construct, grep for "Use Alternative Value"
> in the bash/dash manpage.)
What is the tcsh equivalent? (BTW, the offending line is probably
setenv PYTHONPATH .:$OOOHOME/program:$OOOHOME/program/pydemo:$OOOHOME/program/python/lib:$PYTHONPATH
which is basically noop, as there's no internal python copy in our builds, and /pydemo doesn't exist
either, same as python scripts in $OOOHOME/program and especially since OOHOME is set as
"setenv OOOHOME /src4/OpenOffice.org1.1Beta2" :)
Grüße/Regards,
René
--
.''`. René Engelhard -- Debian GNU/Linux Developer
: :' : http://www.debian.org | http://people.debian.org/~rene/
`. `' rene@debian.org | GnuPG-Key ID: D03E3E70
`- Fingerprint: E12D EA46 7506 70CF A960 801D 0AA0 4571 D03E 3E70
Reply to: