* Mike Hommey <mh@glandium.org>, 2010-11-18, 12:17:
A number of packages in the archive sets the PYTHONPATH environment variable in an insecure way. They do something like:PYTHONPATH=/spam/eggs:$PYTHONPATHThis is wrong, because if PYTHONPATH were originally unset or empty, current working directory would be added to sys.path.I wonder if this class of vulnerabilities (inc the LD_LIBRARY_PATH ones) could be automatically warned about by lintian.
This is bug #451559. I guess it will be tricky to implement reliably.
I wonder if this wouldn't be our duty to remove the possibility of these vulnerabilities at all. Who relies on these PATH variables features to include the current directory instead of adding "." ? Why don't we fix python, ld.so and other stuff doing the same such that empty entries are skipped ?
http://seclists.org/oss-sec/2010/q3/446I don't know if "next stable release" means squeeze or wheezy here. IMO it's too late for such changes for squeeze.
-- Jakub Wilk