Your message dated Thu, 09 Dec 2010 12:47:30 +0000 with message-id <e1pqfue-0005ux...@franck.debian.org> and subject line Bug#605151: fixed in snappea 3.0d3-20.1 has caused the Debian Bug report #605151, regarding snappea: Use of PYTHONPATH env var in an insecure way to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 605151: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=605151 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: snappea Version: 3.0d3-20 Severity: grave Tags: security User: debian-pyt...@lists.debian.org Usertags: pythonpath Jakub Wilk performed an analysis[1] for packages setting PYTHONPATH in an insecure way. Those packages do something like: PYTHONPATH=/spam/eggs:$PYTHONPATH This is wrong, because if PYTHONPATH were originally unset or empty, current working directory would be added to sys.path. [1] http://lists.debian.org/debian-python/2010/11/msg00045.html Your package turns out to have vulnerable scripts in PATH: you can find a complete log at [2]. [2] http://people.debian.org/~morph/mbf/pythonpath.txt Some guidelines on how to fix these bugs: in the case given above, you can use something like PYTHONPATH=/spam/eggs${PYTHONPATH:+:$PYTHONPATH} (If you don't known this construct, grep for "Use Alternative Value" in the bash/dash manpage.) Also, in cases like PYTHONPATH=/usr/lib/python2.5/site-packages/:$PYTHONPATH or PYTHONPATH=$PYTHONPATH:$SPAMDIR exec python $SPAMDIR/spam.py you shouldn't need to touch PYTHONPATH at all. Feel free to contact debian-pyt...@lists.debian.org in case of help.
--- End Message ---
--- Begin Message ---Source: snappea Source-Version: 3.0d3-20.1 We believe that the bug you reported is fixed in the latest version of snappea, which is due to be installed in the Debian FTP archive: snappea-dev_3.0d3-20.1_amd64.deb to main/s/snappea/snappea-dev_3.0d3-20.1_amd64.deb snappea_3.0d3-20.1.diff.gz to main/s/snappea/snappea_3.0d3-20.1.diff.gz snappea_3.0d3-20.1.dsc to main/s/snappea/snappea_3.0d3-20.1.dsc snappea_3.0d3-20.1_amd64.deb to main/s/snappea/snappea_3.0d3-20.1_amd64.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 605...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Ansgar Burchardt <ans...@debian.org> (supplier of updated snappea package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 02 Dec 2010 13:15:42 +0100 Source: snappea Binary: snappea snappea-dev Architecture: amd64 source Version: 3.0d3-20.1 Distribution: unstable Urgency: low Maintainer: Ben Burton <b...@debian.org> Changed-By: Ansgar Burchardt <ans...@debian.org> Closes: 605151 Description: snappea - a program for creating and studying hyperbolic 3-manifolds snappea-dev - development files for SnapPea hyperbolic 3-manifold tool Changes: snappea (3.0d3-20.1) unstable; urgency=low . * Non-maintainer upload. * Set PYTHONPATH in a secure way. (Closes: #605151) * Change doc-base section to Science/Mathematics. * debian/control: Add ${misc:Depends}. Checksums-Sha1: 39060f31cffc6929ed5edc6dfa48f902818885a6 1685 snappea_3.0d3-20.1.dsc bf277ea9ef82b0c8bf7ef1c4259f76b031b52ed4 641019 snappea_3.0d3-20.1.diff.gz 8aa50d64d96457ee5b0f56aad03280f40c47819a 638954 snappea_3.0d3-20.1_amd64.deb de9e00630668027905a060ea656869972af3afec 292142 snappea-dev_3.0d3-20.1_amd64.deb Checksums-Sha256: daec50c380ecce269be69a721a19479de02b5ba3a845c6ba06d654957cb2b0a9 1685 snappea_3.0d3-20.1.dsc c279858ab955320eea4a4fe39b3c3738ad0b2ab335eb1009d43c6843762ac917 641019 snappea_3.0d3-20.1.diff.gz a205d76f3ec32ccdbd95ede6122e68553df68fd9ea584e800745d9e30da8736a 638954 snappea_3.0d3-20.1_amd64.deb 01ed1b49cbb5bd3a168a62f67064eaa5b2000e9241720f4e2636d31d66c802b4 292142 snappea-dev_3.0d3-20.1_amd64.deb Files: 4867c81c7fc1645ad97f5ab5b5f99564 1685 math extra snappea_3.0d3-20.1.dsc d7db8beec35e8fbdd2036e2536df53cf 641019 math extra snappea_3.0d3-20.1.diff.gz ee14d74e74a3d13accc4bd885b18c644 638954 math extra snappea_3.0d3-20.1_amd64.deb 23358cc4f231c19109fbfa0f4f468d20 292142 libdevel extra snappea-dev_3.0d3-20.1_amd64.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQIcBAEBCgAGBQJM94+VAAoJEIATJTTdNH3INuIQALDC/kZvqS7JofvhXb35BdtZ lke4C1kWVL3iocWZpknovEPhgTL+YiAx07r1VzTTcpJ2fBGb+ilEku9vK/nOcsxA yYSjaiurckDqoHd3MZQMV2Nlgwaf6WaeeuIjA1eIr4eZ6pumvxnXY5VXmPwTrS7M EeZxPqNE/jk8wzkXRsR+Jrrff+rpq+sZ7Yr7y8HwinWMcU0gwgDaTuw3xwx24ttB 4kICE7u4EHPNU48ZSJd69pPWpKvhTKCdLwuzPSlyiGasglmz6tEYwOw/L/EcAl0P M5Rcfo9IBaAKWFqM8DhLq6J4XKuOwmX+2ZXHsSfEvxXts8wLacXp2pIT1MzDW3X1 LIgTDapl9SlZ2qR1i2MX9iaB8nP+erdPJCc5Le2NuhA+GsQAKjkHAxCXord3jBBo 1m0pJWyW0xxlbQjq3qHUn4mhKt3XaqK+ECpBWL7C6LqnKwXb5yCNcZuOcTykjHYY IqX0xWCYRWA9ZY5czRjmP5+uF2wYpSpoVitbNUxypLLh0NkLWsODVQjq+C84R/yl QROjIxJyHZ1mzB5m5eI4Tq6EmF36idDuSbP5PUpFwDvDoe8mINpnKegJoBiZR5QI Wiq6JVjJqnys0hMrL0jtMKWINTiL4mgxGAsAabf9NMOx4HIlAbif89g+UmB7cYhO Mt81LlwvVNEn4LmvTjA2 =TuW3 -----END PGP SIGNATURE-----
--- End Message ---
