Bug#605172: marked as done (ibus-anthy: Use of PYTHONPATH env var in an insecure way)

Wed, 23 Mar 2011 01:21:25 -0700 

Your message dated Wed, 23 Mar 2011 08:16:06 +0000
with message-id <[email protected]>
and subject line Bug#605172: fixed in ibus-anthy 1.2.5-2
has caused the Debian Bug report #605172,
regarding ibus-anthy: Use of PYTHONPATH env var in an insecure way
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
605172: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=605172
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: ibus-anthy
Version: 1.2.3-1
Severity: important
Tags: security
User: [email protected]
Usertags: pythonpath

Jakub Wilk performed an analysis[1] for packages setting PYTHONPATH in
an insecure way. Those packages do something like:

    PYTHONPATH=/spam/eggs:$PYTHONPATH

This is wrong, because if PYTHONPATH were originally unset or empty,
current working directory would be added to sys.path.

[1] http://lists.debian.org/debian-python/2010/11/msg00045.html

Your package turns out to have script/module outside PATH (even if not
sure if vulnerable): you can find a complete log at [2].

[2] http://people.debian.org/~morph/mbf/pythonpath.txt

Some guidelines on how to fix these bugs: in the case given above, you
can use something like

    PYTHONPATH=/spam/eggs${PYTHONPATH:+:$PYTHONPATH}

(If you don't known this construct, grep for "Use Alternative Value"
in the bash/dash manpage.)

Also, in cases like

   PYTHONPATH=/usr/lib/python2.5/site-packages/:$PYTHONPATH

or

   PYTHONPATH=$PYTHONPATH:$SPAMDIR exec python $SPAMDIR/spam.py

you shouldn't need to touch PYTHONPATH at all.

Feel free to contact [email protected] in case of
help.

--- End Message ---
--- Begin Message --- 
Source: ibus-anthy
Source-Version: 1.2.5-2

We believe that the bug you reported is fixed in the latest version of
ibus-anthy, which is due to be installed in the Debian FTP archive:

ibus-anthy_1.2.5-2.debian.tar.gz
  to main/i/ibus-anthy/ibus-anthy_1.2.5-2.debian.tar.gz
ibus-anthy_1.2.5-2.dsc
  to main/i/ibus-anthy/ibus-anthy_1.2.5-2.dsc
ibus-anthy_1.2.5-2_amd64.deb
  to main/i/ibus-anthy/ibus-anthy_1.2.5-2_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Asias He <[email protected]> (supplier of updated ibus-anthy package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 22 Mar 2011 21:47:54 +0800
Source: ibus-anthy
Binary: ibus-anthy
Architecture: source amd64
Version: 1.2.5-2
Distribution: unstable
Urgency: low
Maintainer: IME Packaging Team <[email protected]>
Changed-By: Asias He <[email protected]>
Description: 
 ibus-anthy - anthy engine for IBus
Closes: 605171 605172
Changes: 
 ibus-anthy (1.2.5-2) unstable; urgency=low
 .
   * Fix "Use of PYTHONPATH env var in an insecure way"
    (Closes: #605171) (Closes: #605172)
   * Set Vcs to git.debian.org
Checksums-Sha1: 
 c17314a019c4f43b190a76019b8d3bed9ac82134 1417 ibus-anthy_1.2.5-2.dsc
 3451c4c14142da91d005513fe4cc025c29dbabd0 81820 ibus-anthy_1.2.5-2.debian.tar.gz
 ec4342fa90dfbfcca5c2abbf6cd30b743a179f01 111070 ibus-anthy_1.2.5-2_amd64.deb
Checksums-Sha256: 
 486d6bd43966ba000d959033c38313b63d7f706bdfa3054b67c524f64c146882 1417 
ibus-anthy_1.2.5-2.dsc
 81b30b6fd204fe0c1ad0002fe34c4290505f9c564bf3bbf803d0213f69a38781 81820 
ibus-anthy_1.2.5-2.debian.tar.gz
 140b545103f45fbca317acc706ddfff3868d90326750db7f5ceaff9973b47085 111070 
ibus-anthy_1.2.5-2_amd64.deb
Files: 
 d67e73096914d23c96a2324062ab9d34 1417 utils optional ibus-anthy_1.2.5-2.dsc
 4e476b2641a8ef55d3eebc88cce19b78 81820 utils optional 
ibus-anthy_1.2.5-2.debian.tar.gz
 31200f125fd5aca203462565e20bad5b 111070 utils optional 
ibus-anthy_1.2.5-2_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAk2IwcsACgkQ5TUK4GCH0vhwpQCeMCmDMpDEwBRTggF8IR7qX7iC
2KcAnifta2lAUyYFebH7/cBdINMsR/dC
=mwKr
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to