Package: python-mutagen Version: 1.20-1 Severity: minor various mutagen tools like mutagen-inspect run a
try: import mutagen except ImportError: sys.path.append(os.path.abspath("../")) import mutagen code section. this is not dangerous by itself yet as the mutagen module and its dependencies will always be present as long as those scripts are installed on debian, but if something goes wrong with importing *any* module in mutagen, python code lying around in the working directory gets a chance to run. if this ever gets exploitable (eg by undeclared dependencies), it will be obvious pretty soon because the ImportError will be thrown to the user unless it's currently being exploited; conversely, any ImportError that is gets reported to the bts until this is fixed is security critical. i suggest to remove the sys.path tricks from the deployed version, and ideally from upstream. the upstream authors need that trick to enable running the tools directly from the tarball, but that could also be accomplished by symlinking the mutagen directory into the tools directory (tools/mutagen -> ../mutagen). -- System Information: Debian Release: wheezy/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 3.1.0-1-amd64 (SMP w/2 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages python-mutagen depends on: ii python 2.7.2-10 ii python2.6 2.6.7-4 ii python2.7 2.7.2-13 python-mutagen recommends no packages. python-mutagen suggests no packages. -- no debconf information -- debsums errors found: dpkg-query: warning: parsing file '/var/lib/dpkg/status' near line 59239 package 'calypso': missing description dpkg-divert: warning: parsing file '/var/lib/dpkg/status' near line 59239 package 'calypso': missing description -- To use raw power is to make yourself infinitely vulnerable to greater powers. -- Bene Gesserit axiom
signature.asc
Description: Digital signature