Your message dated Mon, 06 Dec 2010 06:02:08 +0000
with message-id <e1ppu9i-0001bu...@franck.debian.org>
and subject line Bug#605168: fixed in distcc 3.1-3.2
has caused the Debian Bug report #605168,
regarding distcc-pump: Use of PYTHONPATH env var in an insecure way
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
605168: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=605168
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: distcc-pump
Version: 3.1-3.1
Severity: grave
Tags: security
User: debian-pyt...@lists.debian.org
Usertags: pythonpath
Jakub Wilk performed an analysis[1] for packages setting PYTHONPATH in
an insecure way. Those packages do something like:
PYTHONPATH=/spam/eggs:$PYTHONPATH
This is wrong, because if PYTHONPATH were originally unset or empty,
current working directory would be added to sys.path.
[1] http://lists.debian.org/debian-python/2010/11/msg00045.html
Your package turns out to have vulnerable scripts in PATH: you can
find a complete log at [2].
[2] http://people.debian.org/~morph/mbf/pythonpath.txt
Some guidelines on how to fix these bugs: in the case given above, you
can use something like
PYTHONPATH=/spam/eggs${PYTHONPATH:+:$PYTHONPATH}
(If you don't known this construct, grep for "Use Alternative Value"
in the bash/dash manpage.)
Also, in cases like
PYTHONPATH=/usr/lib/python2.5/site-packages/:$PYTHONPATH
or
PYTHONPATH=$PYTHONPATH:$SPAMDIR exec python $SPAMDIR/spam.py
you shouldn't need to touch PYTHONPATH at all.
Feel free to contact debian-pyt...@lists.debian.org in case of
help.
--- End Message ---
--- Begin Message ---
Source: distcc
Source-Version: 3.1-3.2
We believe that the bug you reported is fixed in the latest version of
distcc, which is due to be installed in the Debian FTP archive:
distcc-pump_3.1-3.2_amd64.deb
to main/d/distcc/distcc-pump_3.1-3.2_amd64.deb
distcc_3.1-3.2.diff.gz
to main/d/distcc/distcc_3.1-3.2.diff.gz
distcc_3.1-3.2.dsc
to main/d/distcc/distcc_3.1-3.2.dsc
distcc_3.1-3.2_amd64.deb
to main/d/distcc/distcc_3.1-3.2_amd64.deb
distccmon-gnome_3.1-3.2_amd64.deb
to main/d/distcc/distccmon-gnome_3.1-3.2_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 605...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Steve M. Robbins <s...@debian.org> (supplier of updated distcc package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sun, 05 Dec 2010 22:58:22 -0600
Source: distcc
Binary: distcc distccmon-gnome distcc-pump
Architecture: source amd64
Version: 3.1-3.2
Distribution: unstable
Urgency: low
Maintainer: Carsten Wolff <cars...@wolffcarsten.de>
Changed-By: Steve M. Robbins <s...@debian.org>
Description:
distcc - Simple distributed compiler client and server
distcc-pump - pump mode for distcc a distributed compiler client and server
distccmon-gnome - GTK+ monitor for distcc a distributed client and server
Closes: 605168
Changes:
distcc (3.1-3.2) unstable; urgency=low
.
* Non-maintainer upload.
.
* source/pump.in: Set PYTHONPATH securely. Closes: #605168.
Checksums-Sha1:
cc7a23848f6327baa098ae0a96556bab3ddc0c54 1087 distcc_3.1-3.2.dsc
31e4a05e6d7187698a09821135858dc72d753e48 63921 distcc_3.1-3.2.diff.gz
162b8745d65e83d29eceeb35f71b3ce49be31ada 248372 distcc_3.1-3.2_amd64.deb
ebf2c610c70f6f03dc31516e31d435aa9d76c668 44602
distccmon-gnome_3.1-3.2_amd64.deb
edc331c2eaff32089827bf414ca26d6354f7b6dc 140510 distcc-pump_3.1-3.2_amd64.deb
Checksums-Sha256:
3a637af3415d7d49a15f95cb42ebadf8659eb97bc1cd12aeb69bf5244a7096b4 1087
distcc_3.1-3.2.dsc
1d2082d12e50081c071d6267d6f3693198dd9d7cbb6569c84b941b9757a44e1d 63921
distcc_3.1-3.2.diff.gz
a811d58640e0391b5a27ad39238dae4c3fea5957d85246afc7626f3fb2eaef68 248372
distcc_3.1-3.2_amd64.deb
67a99e9b784544f9b5c59811f1cd3bf6294f1279d22d51132b7607911f5650ed 44602
distccmon-gnome_3.1-3.2_amd64.deb
6b06ba294a50d1db5cf6b77a11f125b423ab93b6fb27f13c567bb54b2adf3183 140510
distcc-pump_3.1-3.2_amd64.deb
Files:
6e7e1998c14296dde895a6d525b35bd5 1087 devel optional distcc_3.1-3.2.dsc
43123716fd7238a53d2fb919a82194f9 63921 devel optional distcc_3.1-3.2.diff.gz
05871ee41abc205a1d915adb706beacc 248372 devel optional distcc_3.1-3.2_amd64.deb
b422612114afa8246b89494a0ed0e188 44602 devel optional
distccmon-gnome_3.1-3.2_amd64.deb
d1c14cc32eb7174f0d899b40eb57b817 140510 devel optional
distcc-pump_3.1-3.2_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iD8DBQFM/Hlq0i2bPSHbMcURAuZbAJ9Os74uzFj3MxQfn8szxAVGJjB/qgCbBipN
A4Pl+POdBTyGNsMU4Lgqe7w=
=Se25
-----END PGP SIGNATURE-----
--- End Message ---
