Re: Untrusted search path vulnerabilities
* Sandro Tosi <morph@debian.org>, 2010-11-17, 23:37:
Any volunteers to file bugs? :)
I'll do that tomorrow, if no-one beats me.
Thanks.
Severity? grave for the vulnerable packages, important for the others?
I think so.
in this case, was release team already contacted about that? I don't
think this mini-RC-MBF would make them happy
I didn't contact RT. It certainly won't make them happy, but also
there's not much they can do about that.
Also, just to give some advice to the maints: the correct approach
here is to check if PYTHONPATH is set before (blindly) append it to
PYTHONPATH - or is there something else to do?
You can use something like:
PYTHONPATH=/spam/eggs${PYTHONPATH:+:$PYTHONPATH}
(If you don't known this construct, grep for "Use Alternative Value" in
the bash/dash manpage.)
Also, in cases like
PYTHONPATH=/usr/lib/python2.5/site-packages/:$PYTHONPATH
or
PYTHONPATH=$PYTHONPATH:$SPAMDIR
exec python $SPAMDIR/spam.py
you shouldn't need to touch PYTHONPATH at all.
--
Jakub Wilk
Reply to: