Re: Untrusted search path vulnerabilities

To: debian-devel@lists.debian.org, debian-python@lists.debian.org, lintian-maint@debian.org
Subject: Re: Untrusted search path vulnerabilities
From: Paul Wise <pabs@debian.org>
Date: Thu, 18 Nov 2010 19:04:07 +0800
Message-id: <[🔎] AANLkTinJDtUqd5moGcCcPhroaBV+4Vp4LfBQZjUKRgOX@mail.gmail.com>
In-reply-to: <[🔎] AANLkTi=QzzE6T4OskH3j4mVAgYS=sNKpOcLW6FJ5o3CC@mail.gmail.com>
References: <[🔎] 20101117215848.GA9858@jwilk.net> <[🔎] AANLkTi=QzzE6T4OskH3j4mVAgYS=sNKpOcLW6FJ5o3CC@mail.gmail.com>

> On Wed, Nov 17, 2010 at 22:58, Jakub Wilk <jwilk@debian.org> wrote:
>> A number of packages in the archive sets the PYTHONPATH environment variable
>> in an insecure way. They do something like:
>>
>>      PYTHONPATH=/spam/eggs:$PYTHONPATH
>>
>> This is wrong, because if PYTHONPATH were originally unset or empty, current
>> working directory would be added to sys.path.

I wonder if this class of vulnerabilities (inc the LD_LIBRARY_PATH
ones) could be automatically warned about by lintian.

-- 
bye,
pabs

http://wiki.debian.org/PaulWise

Reply to:

Follow-Ups:
- Re: Untrusted search path vulnerabilities
  - From: Mike Hommey <mh@glandium.org>

References:
- Untrusted search path vulnerabilities
  - From: Jakub Wilk <jwilk@debian.org>
- Re: Untrusted search path vulnerabilities
  - From: Sandro Tosi <morph@debian.org>

Prev by Date: Re: Untrusted search path vulnerabilities
Next by Date: Re: Untrusted search path vulnerabilities
Previous by thread: Re: Untrusted search path vulnerabilities
Next by thread: Re: Untrusted search path vulnerabilities
Index(es):
- Date
- Thread