Package: python-mutagen Version: 1.20-1 Severity: minor various mutagen tools like mutagen-inspect run a
try: import mutagen
except ImportError:
sys.path.append(os.path.abspath("../"))
import mutagen
code section. this is not dangerous by itself yet as the mutagen module
and its dependencies will always be present as long as those scripts are
installed on debian, but if something goes wrong with importing *any*
module in mutagen, python code lying around in the working directory
gets a chance to run.
if this ever gets exploitable (eg by undeclared dependencies), it will
be obvious pretty soon because the ImportError will be thrown to the
user unless it's currently being exploited; conversely, any ImportError
that is gets reported to the bts until this is fixed is security
critical.
i suggest to remove the sys.path tricks from the deployed version, and
ideally from upstream. the upstream authors need that trick to enable
running the tools directly from the tarball, but that could also be
accomplished by symlinking the mutagen directory into the tools
directory (tools/mutagen -> ../mutagen).
-- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 3.1.0-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages python-mutagen depends on:
ii python 2.7.2-10
ii python2.6 2.6.7-4
ii python2.7 2.7.2-13
python-mutagen recommends no packages.
python-mutagen suggests no packages.
-- no debconf information
-- debsums errors found:
dpkg-query: warning: parsing file '/var/lib/dpkg/status' near line 59239
package 'calypso':
missing description
dpkg-divert: warning: parsing file '/var/lib/dpkg/status' near line 59239
package 'calypso':
missing description
--
To use raw power is to make yourself infinitely vulnerable to greater powers.
-- Bene Gesserit axiom
signature.asc
Description: Digital signature
