Your message dated Sun, 19 Dec 2010 13:56:32 +0000
with message-id <e1pujkw-0003ij...@franck.debian.org>
and subject line Bug#605152: fixed in gquilt 0.20-2+lenny1
has caused the Debian Bug report #605152,
regarding gquilt: Use of PYTHONPATH env var in an insecure way
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
605152: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=605152
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: gquilt
Version: 0.22-1
Severity: grave
Tags: security
User: debian-pyt...@lists.debian.org
Usertags: pythonpath
Jakub Wilk performed an analysis[1] for packages setting PYTHONPATH in
an insecure way. Those packages do something like:
PYTHONPATH=/spam/eggs:$PYTHONPATH
This is wrong, because if PYTHONPATH were originally unset or empty,
current working directory would be added to sys.path.
[1] http://lists.debian.org/debian-python/2010/11/msg00045.html
Your package turns out to have vulnerable scripts in PATH: you can
find a complete log at [2].
[2] http://people.debian.org/~morph/mbf/pythonpath.txt
Some guidelines on how to fix these bugs: in the case given above, you
can use something like
PYTHONPATH=/spam/eggs${PYTHONPATH:+:$PYTHONPATH}
(If you don't known this construct, grep for "Use Alternative Value"
in the bash/dash manpage.)
Also, in cases like
PYTHONPATH=/usr/lib/python2.5/site-packages/:$PYTHONPATH
or
PYTHONPATH=$PYTHONPATH:$SPAMDIR exec python $SPAMDIR/spam.py
you shouldn't need to touch PYTHONPATH at all.
Feel free to contact debian-pyt...@lists.debian.org in case of
help.
--- End Message ---
--- Begin Message ---
Source: gquilt
Source-Version: 0.20-2+lenny1
We believe that the bug you reported is fixed in the latest version of
gquilt, which is due to be installed in the Debian FTP archive:
gquilt_0.20-2+lenny1.diff.gz
to main/g/gquilt/gquilt_0.20-2+lenny1.diff.gz
gquilt_0.20-2+lenny1.dsc
to main/g/gquilt/gquilt_0.20-2+lenny1.dsc
gquilt_0.20-2+lenny1_all.deb
to main/g/gquilt/gquilt_0.20-2+lenny1_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 605...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Christine Spang <christ...@debian.org> (supplier of updated gquilt package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 13 Dec 2010 22:15:44 -0500
Source: gquilt
Binary: gquilt
Architecture: source all
Version: 0.20-2+lenny1
Distribution: stable
Urgency: high
Maintainer: Christine Spang <christ...@debian.org>
Changed-By: Christine Spang <christ...@debian.org>
Description:
gquilt - graphical wrapper for quilt and/or mercurial
Closes: 605152
Changes:
gquilt (0.20-2+lenny1) stable; urgency=high
.
* Fix insecure setting of $PYTHONPATH. (Closes: #605152)
Checksums-Sha1:
0686922b7408ef8175ba903c76cf13bd2a233980 1687 gquilt_0.20-2+lenny1.dsc
69c52f6bb6c0223c5dbf14da2b5636618f27f840 4878 gquilt_0.20-2+lenny1.diff.gz
0111ce0d2153fde2a7f84379fef5de810328711c 57322 gquilt_0.20-2+lenny1_all.deb
Checksums-Sha256:
c52b79507e24475a41e58df6fc666de20cb61507ddba7f9f12f0cfd0dc3ad9b0 1687
gquilt_0.20-2+lenny1.dsc
49dd0ef289b31fda09021d320adb8b72c7416508e2050a043c92cb8f9a2b1dd5 4878
gquilt_0.20-2+lenny1.diff.gz
0e84db251d581ee51129a502ae7cca04606fdc043a5aea78d851da00c04b0406 57322
gquilt_0.20-2+lenny1_all.deb
Files:
19a51776b359f579491874457d8b6ac1 1687 gnome optional gquilt_0.20-2+lenny1.dsc
14cb2080635eff39037a960cf7371eb7 4878 gnome optional
gquilt_0.20-2+lenny1.diff.gz
549d7ff22e93558b2e7641681c49aee6 57322 gnome optional
gquilt_0.20-2+lenny1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iQIcBAEBCAAGBQJNDXZhAAoJEGSVn+mDjfGciGAQAJ5LDjrl9WQDMTvydrRSh5g6
A7s0E7g99USR1Fifdb0I3apSzjbZc0GH630MWvK0akhye5eInnRPkmIkPgVS9yTd
ZzPj7xkVYm+rND3KLaon/etiTrXKzo0E3B00ieKm7km+f8f1N2mTF1xjr+k03VtL
WHM637DNls3t2gySEpUbsJTW/NOPFvnGA8lrYsC66lNEOtWNVtBXYYPIxngL+Swg
LQ4s1NTEQHB+Pove2/fui5Fb5q3oB6V8yB6DXrny2KNk3+xebSxwMx4jNtPOee/u
UEFzQS6E1p2LJRZgZNpkMXkVYlazHoA9ZOv5+7mzpcOVLr4iTZQjnRgmQhKQwoiI
DtEvSHXGVTSVik2cJM9bf7mBGP14lD43tULzssmI7XgDzfIyeeqsarJxTQ6nqRmo
+qNkEO3MR6QfmKEAOvotIRX4rCbL6ifJHKrq6VyqhVArJ8sW54fTX4AYiv2AGPLe
3ArPhEY3sU4Y65H5QIfTjINDz/7bH6SRWzCPzkuvkldwGfz//zVpLSPE9509zQA2
xeaVf36Uy5yNe7E0eJoovw+0VxEP8CV0BbxqN7F73gPvuF8d46xZ5uweWscilEFb
N3hXXgQGsH4JA5lmP6MLj8ydokpJ/JEVL1wIbF4AJLqyE2O+bMiFBrjg881vTeti
EPzanax9/HvVlCg6yQi8
=zRps
-----END PGP SIGNATURE-----
--- End Message ---
