Your message dated Sat, 04 Dec 2010 10:02:56 +0000 with message-id <e1pooxe-0005fq...@franck.debian.org> and subject line Bug#605152: fixed in gquilt 0.22-1.1 has caused the Debian Bug report #605152, regarding gquilt: Use of PYTHONPATH env var in an insecure way to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 605152: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=605152 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: gquilt Version: 0.22-1 Severity: grave Tags: security User: debian-pyt...@lists.debian.org Usertags: pythonpath Jakub Wilk performed an analysis[1] for packages setting PYTHONPATH in an insecure way. Those packages do something like: PYTHONPATH=/spam/eggs:$PYTHONPATH This is wrong, because if PYTHONPATH were originally unset or empty, current working directory would be added to sys.path. [1] http://lists.debian.org/debian-python/2010/11/msg00045.html Your package turns out to have vulnerable scripts in PATH: you can find a complete log at [2]. [2] http://people.debian.org/~morph/mbf/pythonpath.txt Some guidelines on how to fix these bugs: in the case given above, you can use something like PYTHONPATH=/spam/eggs${PYTHONPATH:+:$PYTHONPATH} (If you don't known this construct, grep for "Use Alternative Value" in the bash/dash manpage.) Also, in cases like PYTHONPATH=/usr/lib/python2.5/site-packages/:$PYTHONPATH or PYTHONPATH=$PYTHONPATH:$SPAMDIR exec python $SPAMDIR/spam.py you shouldn't need to touch PYTHONPATH at all. Feel free to contact debian-pyt...@lists.debian.org in case of help.
--- End Message ---
--- Begin Message ---Source: gquilt Source-Version: 0.22-1.1 We believe that the bug you reported is fixed in the latest version of gquilt, which is due to be installed in the Debian FTP archive: gquilt_0.22-1.1.diff.gz to main/g/gquilt/gquilt_0.22-1.1.diff.gz gquilt_0.22-1.1.dsc to main/g/gquilt/gquilt_0.22-1.1.dsc gquilt_0.22-1.1_all.deb to main/g/gquilt/gquilt_0.22-1.1_all.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 605...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Steve M. Robbins <s...@debian.org> (supplier of updated gquilt package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Sat, 04 Dec 2010 03:40:01 -0600 Source: gquilt Binary: gquilt Architecture: source all Version: 0.22-1.1 Distribution: unstable Urgency: low Maintainer: Christine Spang <christ...@debian.org> Changed-By: Steve M. Robbins <s...@debian.org> Description: gquilt - graphical wrapper for quilt and/or mercurial queues Closes: 605152 Changes: gquilt (0.22-1.1) unstable; urgency=low . * Non-Maintainer Upload. . * gquilt.sh: Set PYTHONPATH safely (in case of blank PYTHONPATH). Closes: #605152. Checksums-Sha1: d270c19e1ba9d5c577a14759c53f4d032af89dfb 1155 gquilt_0.22-1.1.dsc 6dd9f74c7a9e71c117893e0aba9a83a22914be5b 4842 gquilt_0.22-1.1.diff.gz 8e190faa631acdce7d491e53e7fa205e09a101d4 170784 gquilt_0.22-1.1_all.deb Checksums-Sha256: 9d78c469c0a0b39c880e929cf062ed2088be749430a7b90184db78c0585a56a2 1155 gquilt_0.22-1.1.dsc e2fae5dd72cede738becc1a676a2b8ec68c6440d71861fb23e7259a05d34ec9c 4842 gquilt_0.22-1.1.diff.gz 060e280925d01cae380b2fc1cf5a0003935c682355d2e0e5362e0f04b9af61e8 170784 gquilt_0.22-1.1_all.deb Files: 72d3416134b4545ebc7362a06b112ff1 1155 gnome optional gquilt_0.22-1.1.dsc d09f5cbcbf9fbaef4f065e1d6199fee8 4842 gnome optional gquilt_0.22-1.1.diff.gz 6e11868b50db561b3f05bd2177a0bfea 170784 gnome optional gquilt_0.22-1.1_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iD8DBQFM+g5x0i2bPSHbMcURAoyJAJ43X58W51IrNOglSiFlUsP9Kdnw+ACfflzo Pz6nXFBuQbzOToVIt7nKYOQ= =EkyG -----END PGP SIGNATURE-----
--- End Message ---
