Bug#605153: marked as done (pybliographer: Use of PYTHONPATH env var in an insecure way)

[Debian Bug Tracking System]

Your message dated Wed, 15 Dec 2010 07:47:36 +0000
with message-id <e1psm5i-0000qz...@franck.debian.org>
and subject line Bug#605153: fixed in pybliographer 1.2.12-4squeeze1
has caused the Debian Bug report #605153,
regarding pybliographer: Use of PYTHONPATH env var in an insecure way
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
605153: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=605153
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: pybliographer
Version: 1.2.14-2
Severity: grave
Tags: security
User: debian-pyt...@lists.debian.org
Usertags: pythonpath

Jakub Wilk performed an analysis[1] for packages setting PYTHONPATH in
an insecure way. Those packages do something like:

    PYTHONPATH=/spam/eggs:$PYTHONPATH

This is wrong, because if PYTHONPATH were originally unset or empty,
current working directory would be added to sys.path.

[1] http://lists.debian.org/debian-python/2010/11/msg00045.html

Your package turns out to have vulnerable scripts in PATH: you can
find a complete log at [2].

[2] http://people.debian.org/~morph/mbf/pythonpath.txt

Some guidelines on how to fix these bugs: in the case given above, you
can use something like

    PYTHONPATH=/spam/eggs${PYTHONPATH:+:$PYTHONPATH}

(If you don't known this construct, grep for "Use Alternative Value"
in the bash/dash manpage.)

Also, in cases like

   PYTHONPATH=/usr/lib/python2.5/site-packages/:$PYTHONPATH

or

   PYTHONPATH=$PYTHONPATH:$SPAMDIR exec python $SPAMDIR/spam.py

you shouldn't need to touch PYTHONPATH at all.

Feel free to contact debian-pyt...@lists.debian.org in case of
help.

--- End Message ---

--- Begin Message ---

Source: pybliographer
Source-Version: 1.2.12-4squeeze1

We believe that the bug you reported is fixed in the latest version of
pybliographer, which is due to be installed in the Debian FTP archive:

pybliographer_1.2.12-4squeeze1.diff.gz
  to main/p/pybliographer/pybliographer_1.2.12-4squeeze1.diff.gz
pybliographer_1.2.12-4squeeze1.dsc
  to main/p/pybliographer/pybliographer_1.2.12-4squeeze1.dsc
pybliographer_1.2.12-4squeeze1_all.deb
  to main/p/pybliographer/pybliographer_1.2.12-4squeeze1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 605...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Chris Lawrence <lawre...@debian.org> (supplier of updated pybliographer package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 11 Dec 2010 13:30:54 -0600
Source: pybliographer
Binary: pybliographer
Architecture: source all
Version: 1.2.12-4squeeze1
Distribution: testing-proposed-updates
Urgency: high
Maintainer: Chris Lawrence <lawre...@debian.org>
Changed-By: Chris Lawrence <lawre...@debian.org>
Description: 
 pybliographer - tool for manipulating bibliographic databases
Closes: 605153
Changes: 
 pybliographer (1.2.12-4squeeze1) testing-proposed-updates; urgency=high
 .
   * Remove code involving $PYTHONPATH from scripts, since it adds an
     "extras" directory that no longer seems to exist.  (Closes: #605153)
Checksums-Sha1: 
 433d055e0d8d46b91ecd67460f38f571a30889c5 1218 
pybliographer_1.2.12-4squeeze1.dsc
 f69db86d094d778620e11dbb9426ed1b8d90bbf1 17216 
pybliographer_1.2.12-4squeeze1.diff.gz
 0f4ea3a59c779d3c212f0dcf5a9de5ccf2ca50a3 640230 
pybliographer_1.2.12-4squeeze1_all.deb
Checksums-Sha256: 
 0dd42b897b2451a4cb350a6bb36fde8401d8f8ee5a0ccf6afab93fe876e2cd43 1218 
pybliographer_1.2.12-4squeeze1.dsc
 e8a9339d54447e99905b6ed74a8a55efe051689c97add33ee45de630073acedd 17216 
pybliographer_1.2.12-4squeeze1.diff.gz
 62a4cf73cd3d66e679338122bc49ad2e8c42bd175913afa078b020c679708389 640230 
pybliographer_1.2.12-4squeeze1_all.deb
Files: 
 cf7bfadfa7fbb150769df5218f72ec62 1218 gnome optional 
pybliographer_1.2.12-4squeeze1.dsc
 8c117be36e8f669d8402181de2d30c5e 17216 gnome optional 
pybliographer_1.2.12-4squeeze1.diff.gz
 862b8210ab9003e14449dd375cd7fd6a 640230 gnome optional 
pybliographer_1.2.12-4squeeze1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAk0D0bUACgkQ2wQKE6PXubzVxwCeODb+28z1WAH3WTtLg6mCtBCW
M8UAn2C8orXiAAtOnpPkKTmS6WtA95VW
=p6it
-----END PGP SIGNATURE-----

--- End Message ---