Re: Untrusted search path vulnerabilities

To: debian-python@lists.debian.org
Subject: Re: Untrusted search path vulnerabilities
From: Jakub Wilk <jwilk@debian.org>
Date: Thu, 18 Nov 2010 01:12:40 +0100
Message-id: <[🔎] 20101118001240.GA5116@jwilk.net>
Mail-followup-to: debian-python@lists.debian.org
In-reply-to: <[🔎] AANLkTikCmpbMf=L=C_2oLTqVtBySN9x+6obA9Zc=hZ3O@mail.gmail.com>
References: <[🔎] 20101117215848.GA9858@jwilk.net> <[🔎] AANLkTikCmpbMf=L=C_2oLTqVtBySN9x+6obA9Zc=hZ3O@mail.gmail.com>

* Sandro Tosi <morph@debian.org>, 2010-11-17, 23:37:

Any volunteers to file bugs? :)


I'll do that tomorrow, if no-one beats me.


Thanks.

Severity? grave for the vulnerable packages, important for the others?


I think so.

in this case, was release team already contacted about that? I don't
think this mini-RC-MBF would make them happy

I didn't contact RT. It certainly won't make them happy, but alsothere's not much they can do about that.

Also, just to give some advice to the maints: the correct approach
here is to check if PYTHONPATH is set before (blindly) append it to
PYTHONPATH - or is there something else to do?


You can use something like:

PYTHONPATH=/spam/eggs${PYTHONPATH:+:$PYTHONPATH}

(If you don't known this construct, grep for "Use Alternative Value" inthe bash/dash manpage.)


Also, in cases like

    PYTHONPATH=/usr/lib/python2.5/site-packages/:$PYTHONPATH

or

    PYTHONPATH=$PYTHONPATH:$SPAMDIR
    exec python $SPAMDIR/spam.py

you shouldn't need to touch PYTHONPATH at all.

--
Jakub Wilk

Reply to:

References:
- Untrusted search path vulnerabilities
  - From: Jakub Wilk <jwilk@debian.org>
- Re: Untrusted search path vulnerabilities
  - From: Sandro Tosi <morph@debian.org>

Prev by Date: Re: Untrusted search path vulnerabilities
Next by Date: Re: Untrusted search path vulnerabilities
Previous by thread: Re: Untrusted search path vulnerabilities
Next by thread: Re: Untrusted search path vulnerabilities
Index(es):
- Date
- Thread