Hi Rene, On Sun, Nov 28, 2010 at 00:29, Rene Engelhard <r...@debian.org> wrote: > found 605178 1:3.2.1-7 > found 605178 1:2.4.1+dfsg-1+lenny8 > severity 605178 minor > thanks > > On Sat, Nov 27, 2010 at 10:45:58PM +0000, Sandro Tosi wrote: >> Version: 1:3.3.0~beta2-2 > > If the log says 2.4.1 and 3.2.1, too, why did you file it only against > 1:3.3.0~beta2-2? :)
yeah, sorry about that: the submits were done with mass-bug, but the tool is affected by a bug (#605235) that generated 3 identical reports instead of 3 for different versions (1:2.4.1+dfsg-1+lenny8 1:3.2.1-7, 1:3.3.0~beta2-2) >> Severity: important > > Well, it's a demo and it's a *tcsh* script.... > I'd call it minor... > >> Tags: security > > See above. well, whatever ;) >> Your package turns out to ship vulnerable examples or contains >> insecure advices: you can find a complete log at [2]. > > It's the second... > >> [2] http://people.debian.org/~morph/mbf/pythonpath.txt > > If the log says 2.4.1 and 3.2.1, too, why did you file it only against > 1:3.3.0~beta2-2? :) se above >> Some guidelines on how to fix these bugs: in the case given above, you >> can use something like >> >> PYTHONPATH=/spam/eggs${PYTHONPATH:+:$PYTHONPATH} >> >> (If you don't known this construct, grep for "Use Alternative Value" >> in the bash/dash manpage.) > > What is the tcsh equivalent? sorry, I don't have an equivalent tcsh snippet. You can do it the "didactical" way, with if PYTHONPATH is set: do one thing else do something else > (BTW, the offending line is probably > > setenv PYTHONPATH > .:$OOOHOME/program:$OOOHOME/program/pydemo:$OOOHOME/program/python/lib:$PYTHONPATH > > which is basically noop, as there's no internal python copy in our builds, > and /pydemo doesn't exist > either, same as python scripts in $OOOHOME/program and especially since > OOHOME is set as > "setenv OOOHOME /src4/OpenOffice.org1.1Beta2" :) the fact is that a guy can copy the demo/ dir contents in another dir and have '.' be added to PYTHONPATH with possible implications; in this case '.' is even explicitly set in front of the PYTHONPATH line: why you need it? Cheers, -- Sandro Tosi (aka morph, morpheus, matrixhasu) My website: http://matrixhasu.altervista.org/ Me at Debian: http://wiki.debian.org/SandroTosi -- To UNSUBSCRIBE, email to debian-openoffice-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/aanlktimftcx67hmk4vap2f4u08ppoqtuh__mww5ei...@mail.gmail.com
