Re: Untrusted search path vulnerabilities

To: debian-devel-italian@lists.debian.org
Cc: debian-python@lists.debian.org
Subject: Re: Untrusted search path vulnerabilities
From: Sandro Tosi <morph@debian.org>
Date: Thu, 18 Nov 2010 11:39:24 +0100
Message-id: <[🔎] AANLkTi=BfSPxECHoKOurj4TiamSax-J5XrwffYTKcuFD@mail.gmail.com>
In-reply-to: <[🔎] 20101117215848.GA9858@jwilk.net>
References: <[🔎] 20101117215848.GA9858@jwilk.net>

Hi all,
here below the mail Jakub sent to d-python yesterday, I'm bouncing it
now to d-d now to wider spread and as a notification of an upcoming
mbf (if no stop comes it's expected to happen this evening). Please
follow the whole thread at [1] for further discussion (and keep d-p in
the loop in case of reply)

[1] [🔎] 20101117215848.GA9858@jwilk.net">http://lists.debian.org/[🔎] 20101117215848.GA9858@jwilk.net

Cheers,
Sandro

On Wed, Nov 17, 2010 at 22:58, Jakub Wilk <jwilk@debian.org> wrote:
> A number of packages in the archive sets the PYTHONPATH environment variable
> in an insecure way. They do something like:
>
>      PYTHONPATH=/spam/eggs:$PYTHONPATH
>
> This is wrong, because if PYTHONPATH were originally unset or empty, current
> working directory would be added to sys.path.
>
> These packages are affected:
>
> a) packages with vulnerable scripts in /usr/bin:
>
> * calendarserver (1.2.dfsg-8, 2.4.dfsg-2)
> * distcc-pump (3.1-3.1)
> * gnome-schedule (2.0.2-1.1, 2.1.1-3)
> * gnumed-client (0.7.9-1, 0.8.4-1)
> * gquilt (0.20-2, 0.22-1)
> * guake (0.4.2-1, 0.4.2-2)
> * ironpython (2.6~beta2-2)
> * mmass (3.8.0-1)
> * opendnssec-signer (1.1.0-2, 1.1.3-1)
> * pybliographer (1.2.12-3.2, 1.2.14-2)
> * pymca (4.4.0-1)
> * salome (5.1.3-9)
> * snappea (3.0d3-20)
>
> b) packages with scripts/modules outside PATH (it's not clear if they are
> exploitable or not):
>
> * ibus-anthy (1.2.1-1, 1.2.3-1)
> * ibus-skk (0.0.10-1, 1.3.3-1)
> * ibus-xkbc (1.3.3.20100804-1)
> * python-axiom (0.6.0-2)
> * python-epsilon (0.5.9-1)
>
> c) packages with insecure advices in their documentation or vulnerable
> example scripts:
>
> * python-matplotlib-doc (0.99.3-1)
> * python-omniorb-doc (3.3-1)
> * python-sqlobject (0.10.2-3, 0.12.4-2)
> * python-visual (1:5.12-1.1)
> * python-tables-doc (2.0.3-1, 2.1.2-3.1)
> * python-uno (1:2.4.1+dfsg-1+lenny8, 1:3.2.1-7, 1:3.3.0~beta2-2)
> * python2.7-examples (2.7-9)
> * python3.1-examples (3.1.2+20100926-1, 3.1.2+20101012-1)
> * python3.2-examples (3.2~a3-1)
> * twisted-doc (8.1.0-4, 10.1.0-3)
>
> Full log and dd-list are attached.
>
> Any volunteers to file bugs? :)
>
> (The security team was contacted beforehand and they agreed to disclose
> these bugs. This message was bcc-ed to the testing security team.)
>
> --
> Jakub Wilk
>



-- 
Sandro Tosi (aka morph, morpheus, matrixhasu)
My website: http://matrixhasu.altervista.org/
Me at Debian: http://wiki.debian.org/SandroTosi

Reply to:

References:
- Untrusted search path vulnerabilities
  - From: Jakub Wilk <jwilk@debian.org>

Prev by Date: Re: Untrusted search path vulnerabilities
Next by Date: Re: Untrusted search path vulnerabilities
Previous by thread: Re: Untrusted search path vulnerabilities
Next by thread: Re: Untrusted search path vulnerabilities
Index(es):
- Date
- Thread