Your message dated Tue, 22 Mar 2011 12:24:43 +0000
with message-id <[email protected]>
and subject line Bug#605176: fixed in ibus-xkbc 1.3.3.20100804-2
has caused the Debian Bug report #605176,
regarding ibus-xkbc: Use of PYTHONPATH env var in an insecure way
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
605176: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=605176
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: ibus-xkbc
Version: 1.3.3.20100804-1
Severity: important
Tags: security
User: [email protected]
Usertags: pythonpath
Jakub Wilk performed an analysis[1] for packages setting PYTHONPATH in
an insecure way. Those packages do something like:
PYTHONPATH=/spam/eggs:$PYTHONPATH
This is wrong, because if PYTHONPATH were originally unset or empty,
current working directory would be added to sys.path.
[1] http://lists.debian.org/debian-python/2010/11/msg00045.html
Your package turns out to have script/module outside PATH (even if not
sure if vulnerable): you can find a complete log at [2].
[2] http://people.debian.org/~morph/mbf/pythonpath.txt
Some guidelines on how to fix these bugs: in the case given above, you
can use something like
PYTHONPATH=/spam/eggs${PYTHONPATH:+:$PYTHONPATH}
(If you don't known this construct, grep for "Use Alternative Value"
in the bash/dash manpage.)
Also, in cases like
PYTHONPATH=/usr/lib/python2.5/site-packages/:$PYTHONPATH
or
PYTHONPATH=$PYTHONPATH:$SPAMDIR exec python $SPAMDIR/spam.py
you shouldn't need to touch PYTHONPATH at all.
Feel free to contact [email protected] in case of
help.
--- End Message ---
--- Begin Message ---
Source: ibus-xkbc
Source-Version: 1.3.3.20100804-2
We believe that the bug you reported is fixed in the latest version of
ibus-xkbc, which is due to be installed in the Debian FTP archive:
ibus-xkbc_1.3.3.20100804-2.debian.tar.gz
to main/i/ibus-xkbc/ibus-xkbc_1.3.3.20100804-2.debian.tar.gz
ibus-xkbc_1.3.3.20100804-2.dsc
to main/i/ibus-xkbc/ibus-xkbc_1.3.3.20100804-2.dsc
ibus-xkbc_1.3.3.20100804-2_all.deb
to main/i/ibus-xkbc/ibus-xkbc_1.3.3.20100804-2_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Aron Xu <[email protected]> (supplier of updated ibus-xkbc package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 16 Feb 2011 22:26:00 +0800
Source: ibus-xkbc
Binary: ibus-xkbc
Architecture: source all
Version: 1.3.3.20100804-2
Distribution: unstable
Urgency: low
Maintainer: IME Packaging Team <[email protected]>
Changed-By: Aron Xu <[email protected]>
Description:
ibus-xkbc - keyboard layout emulation engine for IBus
Closes: 605176
Changes:
ibus-xkbc (1.3.3.20100804-2) unstable; urgency=low
.
* Team upload.
* debian/patches/02_debian-605176-unsafe-pythonpath.patch:
- Avoid setting PYTHONPATH (useless here) to resolve security issue.
(Closes: #605176)
Checksums-Sha1:
cd382e6b8e4c656de8cd8924eb17ebfbf57a6d39 2103 ibus-xkbc_1.3.3.20100804-2.dsc
466715d7e4861f1bb9e90ea322f9ad341ff134e1 3324
ibus-xkbc_1.3.3.20100804-2.debian.tar.gz
929d7ceeb52c49af31e892008b9c12ad66e2ea26 975170
ibus-xkbc_1.3.3.20100804-2_all.deb
Checksums-Sha256:
e80b93f270389676fd1fee6ca18a55d19c0b3535d4609850f37c0e9fc9066c77 2103
ibus-xkbc_1.3.3.20100804-2.dsc
9b22518a5b754743fd2ccce74c1b90b3bc05809a130a502a1779b53cef7aaf2b 3324
ibus-xkbc_1.3.3.20100804-2.debian.tar.gz
c2aa0decf1bebe64e570507a793db275d60181c7b097b777fbae9e9f1fe6493d 975170
ibus-xkbc_1.3.3.20100804-2_all.deb
Files:
03c440af5ac34f74ca659ecbd0677eb6 2103 utils optional
ibus-xkbc_1.3.3.20100804-2.dsc
9d560fa3548f93396bd9e8a427e1969e 3324 utils optional
ibus-xkbc_1.3.3.20100804-2.debian.tar.gz
08cc273ea644b350d944bf106f097485 975170 utils optional
ibus-xkbc_1.3.3.20100804-2_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iQIcBAEBCAAGBQJNh7bjAAoJEGc6A+TB25IfGHMP/jvKPkwRqeiZlpg0eYk7lhIQ
F7SatplFqXQBjoQiV9Od11PltEf3jI3442BdEunabTTyxzhcNTtw29l3ETKZktBI
UtWNHgujBBIvGsi7qXszZKYn8eAAJJtA7PyNi1+OaEBhIZMOUVnQcKKqYGeOqJGR
YKgVu2aD1OQy28Z7AGRz3C1nJivB+nwjlvsYGC5UbHw4R39toCM1sa2DoYE/4FhG
6gzUuExeqYD1uJ2X9MYzT7k9QWl0VacsMSdux/QjLYz+QbKykj/eoxgMwrFn/CiD
P2DPMyVs6k3krb5yyrOV0yEF+6bYzp7oqRpNbkoNoyHDdTty7fyPh808TTtIpAU/
cl087xfac+Ja0xjsATMbhqRRyMwk8HLEePaAkHMe3Iru4BsBV6sFlMTRgPflBVFM
0AnJqtvd+JjxSZ945he5MuoHNnyYKzdgaadUT8yjGJpKgnNP4xXTXmL+QaVHikhB
yhvt13JldQ/aRUJwwwqBc864y9qkOIYAqyrqTYIcpu8h36IYzF+hqU/9ctWRbzLN
dwqWn2tfSa0Mru6WrQckHG6f0NoUMg2lvzaswANKlxI+d1MCGVsR/r0nMIHnRH+4
s2tXAeDAxqTon9Kcx5KD9uhTV1EObykpBa7IBCt6RXGULNZCm+QD83h9NUwEhcJv
EaIcvd1IHDlcJYMxagY1
=IXuE
-----END PGP SIGNATURE-----
--- End Message ---
