Your message dated Tue, 30 Nov 2010 02:35:23 +0000 with message-id <e1png3v-00088q...@franck.debian.org> and subject line Bug#605153: fixed in pybliographer 1.2.14-3 has caused the Debian Bug report #605153, regarding pybliographer: Use of PYTHONPATH env var in an insecure way to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 605153: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=605153 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: pybliographer Version: 1.2.14-2 Severity: grave Tags: security User: debian-pyt...@lists.debian.org Usertags: pythonpath Jakub Wilk performed an analysis[1] for packages setting PYTHONPATH in an insecure way. Those packages do something like: PYTHONPATH=/spam/eggs:$PYTHONPATH This is wrong, because if PYTHONPATH were originally unset or empty, current working directory would be added to sys.path. [1] http://lists.debian.org/debian-python/2010/11/msg00045.html Your package turns out to have vulnerable scripts in PATH: you can find a complete log at [2]. [2] http://people.debian.org/~morph/mbf/pythonpath.txt Some guidelines on how to fix these bugs: in the case given above, you can use something like PYTHONPATH=/spam/eggs${PYTHONPATH:+:$PYTHONPATH} (If you don't known this construct, grep for "Use Alternative Value" in the bash/dash manpage.) Also, in cases like PYTHONPATH=/usr/lib/python2.5/site-packages/:$PYTHONPATH or PYTHONPATH=$PYTHONPATH:$SPAMDIR exec python $SPAMDIR/spam.py you shouldn't need to touch PYTHONPATH at all. Feel free to contact debian-pyt...@lists.debian.org in case of help.
--- End Message ---
--- Begin Message ---Source: pybliographer Source-Version: 1.2.14-3 We believe that the bug you reported is fixed in the latest version of pybliographer, which is due to be installed in the Debian FTP archive: pybliographer_1.2.14-3.diff.gz to main/p/pybliographer/pybliographer_1.2.14-3.diff.gz pybliographer_1.2.14-3.dsc to main/p/pybliographer/pybliographer_1.2.14-3.dsc pybliographer_1.2.14-3_all.deb to main/p/pybliographer/pybliographer_1.2.14-3_all.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 605...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Chris Lawrence <lawre...@debian.org> (supplier of updated pybliographer package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Mon, 29 Nov 2010 20:24:24 -0600 Source: pybliographer Binary: pybliographer Architecture: source all Version: 1.2.14-3 Distribution: unstable Urgency: high Maintainer: Chris Lawrence <lawre...@debian.org> Changed-By: Chris Lawrence <lawre...@debian.org> Description: pybliographer - tool for manipulating bibliographic databases Closes: 605153 Changes: pybliographer (1.2.14-3) unstable; urgency=high . * Remove code involving $PYTHONPATH from scripts, since it adds an "extras" directory that no longer seems to exist. (Closes: #605153) Checksums-Sha1: d006018a38c49173ec829aa5fb2126208bda4c50 1230 pybliographer_1.2.14-3.dsc 4f43167e35f6a05dcca557712b4481cd607c87d9 16924 pybliographer_1.2.14-3.diff.gz 11a59d5ae52f17efe793f6c7995fa81be5411695 664722 pybliographer_1.2.14-3_all.deb Checksums-Sha256: 8b0f4f536c3cf0fc8b9a90df91cec8875a00cd015efef8cdcef1191186caa5b5 1230 pybliographer_1.2.14-3.dsc a2516a8f9e35715d9f9b875d74a47e68de365531f3c0216e4a75681e83cb8df3 16924 pybliographer_1.2.14-3.diff.gz 07adcd13d6510bed96be3fe5931fc0998d6f5ea1fac44d5d3cc978bdc7f1de3c 664722 pybliographer_1.2.14-3_all.deb Files: 6e8a7ed3607fbbc83e19fb0f84f27018 1230 gnome optional pybliographer_1.2.14-3.dsc 5b79f815e136d5401c25ecd8db594c57 16924 gnome optional pybliographer_1.2.14-3.diff.gz 3c54d5eeee36e0feb40f97dd498edbf8 664722 gnome optional pybliographer_1.2.14-3_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAkz0YRUACgkQ2wQKE6PXubyWbACgix11wbvt6VgF6SxkDDi1RVA2 RkYAoL76WfrH4Obo2NtrPO74szA6xq7U =x5Iq -----END PGP SIGNATURE-----
--- End Message ---
