Bug#605178: python-uno: Use of PYTHONPATH env var in an insecure way

To: Rene Engelhard <rene@debian.org>
Cc: 605178-maintonly@bugs.debian.org, control@bugs.debian.org
Subject: Bug#605178: python-uno: Use of PYTHONPATH env var in an insecure way
From: Sandro Tosi <morph@debian.org>
Date: Thu, 2 Dec 2010 22:47:55 +0100
Message-id: <AANLkTimFtcx67HMK4VaP2f4u08PpOQTUh__mWw5eiMew@mail.gmail.com>
Reply-to: Sandro Tosi <morph@debian.org>, 605178-maintonly@bugs.debian.org
In-reply-to: <20101127232947.GX24723@rene-engelhard.de>
References: <E1PMTWo-00031B-3O@ravel.debian.org> <20101127232947.GX24723@rene-engelhard.de>

Hi Rene,

On Sun, Nov 28, 2010 at 00:29, Rene Engelhard <rene@debian.org> wrote:
> found 605178 1:3.2.1-7
> found 605178 1:2.4.1+dfsg-1+lenny8
> severity 605178 minor
> thanks
>
> On Sat, Nov 27, 2010 at 10:45:58PM +0000, Sandro Tosi wrote:
>> Version: 1:3.3.0~beta2-2
>
> If the log says 2.4.1 and 3.2.1, too, why did you file it only against
> 1:3.3.0~beta2-2? :)

yeah, sorry about that: the submits were done with mass-bug, but the
tool is affected by a bug (#605235) that generated 3 identical reports
instead of 3 for different versions (1:2.4.1+dfsg-1+lenny8 1:3.2.1-7,
1:3.3.0~beta2-2)

>> Severity: important
>
> Well, it's a demo and it's a *tcsh* script....
> I'd call it minor...
>
>> Tags: security
>
> See above.

well, whatever ;)

>> Your package turns out to ship vulnerable examples or contains
>> insecure advices: you can find a complete log at [2].
>
> It's the second...
>
>> [2] http://people.debian.org/~morph/mbf/pythonpath.txt
>
> If the log says 2.4.1 and 3.2.1, too, why did you file it only against
> 1:3.3.0~beta2-2? :)

se above

>> Some guidelines on how to fix these bugs: in the case given above, you
>> can use something like
>>
>>    PYTHONPATH=/spam/eggs${PYTHONPATH:+:$PYTHONPATH}
>>
>> (If you don't known this construct, grep for "Use Alternative Value"
>> in the bash/dash manpage.)
>
> What is the tcsh equivalent?

sorry, I don't have an equivalent tcsh snippet. You can do it the
"didactical" way, with

if PYTHONPATH is set:
    do one thing
else
    do something else

> (BTW, the offending line is probably
>
> setenv PYTHONPATH .:$OOOHOME/program:$OOOHOME/program/pydemo:$OOOHOME/program/python/lib:$PYTHONPATH
>
> which is basically noop, as there's no internal python copy in our builds, and /pydemo doesn't exist
> either, same as python scripts in $OOOHOME/program and especially since OOHOME is set as
> "setenv OOOHOME /src4/OpenOffice.org1.1Beta2" :)

the fact is that a guy can copy the demo/ dir contents in another dir
and have '.' be added to PYTHONPATH with possible implications; in
this case '.' is even explicitly set in front of the PYTHONPATH line:
why you need it?

Cheers,
-- 
Sandro Tosi (aka morph, morpheus, matrixhasu)
My website: http://matrixhasu.altervista.org/
Me at Debian: http://wiki.debian.org/SandroTosi

Reply to:

Follow-Ups:
- Bug#605178: python-uno: Use of PYTHONPATH env var in an insecure way
  - From: Rene Engelhard <rene@debian.org>

Prev by Date: ./packages/libreoffice/3.3.0/experimental r2224: update to LIBREOFFICE_3_3_0_1 tag
Next by Date: Bug#605178: python-uno: Use of PYTHONPATH env var in an insecure way
Previous by thread: ./packages/libreoffice/3.3.0/experimental r2224: update to LIBREOFFICE_3_3_0_1 tag
Next by thread: Bug#605178: python-uno: Use of PYTHONPATH env var in an insecure way
Index(es):
- Date
- Thread