Your message dated Tue, 14 Dec 2010 12:47:12 +0000
with message-id <e1psuhg-0007p2...@franck.debian.org>
and subject line Bug#605167: fixed in gnome-schedule 2.1.1-3.1
has caused the Debian Bug report #605167,
regarding gnome-schedule: Use of PYTHONPATH env var in an insecure way
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
605167: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=605167
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: gnome-schedule
Version: 2.1.1-3
Severity: grave
Tags: security
User: debian-pyt...@lists.debian.org
Usertags: pythonpath
Jakub Wilk performed an analysis[1] for packages setting PYTHONPATH in
an insecure way. Those packages do something like:
PYTHONPATH=/spam/eggs:$PYTHONPATH
This is wrong, because if PYTHONPATH were originally unset or empty,
current working directory would be added to sys.path.
[1] http://lists.debian.org/debian-python/2010/11/msg00045.html
Your package turns out to have vulnerable scripts in PATH: you can
find a complete log at [2].
[2] http://people.debian.org/~morph/mbf/pythonpath.txt
Some guidelines on how to fix these bugs: in the case given above, you
can use something like
PYTHONPATH=/spam/eggs${PYTHONPATH:+:$PYTHONPATH}
(If you don't known this construct, grep for "Use Alternative Value"
in the bash/dash manpage.)
Also, in cases like
PYTHONPATH=/usr/lib/python2.5/site-packages/:$PYTHONPATH
or
PYTHONPATH=$PYTHONPATH:$SPAMDIR exec python $SPAMDIR/spam.py
you shouldn't need to touch PYTHONPATH at all.
Feel free to contact debian-pyt...@lists.debian.org in case of
help.
--- End Message ---
--- Begin Message ---
Source: gnome-schedule
Source-Version: 2.1.1-3.1
We believe that the bug you reported is fixed in the latest version of
gnome-schedule, which is due to be installed in the Debian FTP archive:
gnome-schedule_2.1.1-3.1.diff.gz
to main/g/gnome-schedule/gnome-schedule_2.1.1-3.1.diff.gz
gnome-schedule_2.1.1-3.1.dsc
to main/g/gnome-schedule/gnome-schedule_2.1.1-3.1.dsc
gnome-schedule_2.1.1-3.1_i386.deb
to main/g/gnome-schedule/gnome-schedule_2.1.1-3.1_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 605...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Dmitrijs Ledkovs <dmitrij.led...@ubuntu.com> (supplier of updated
gnome-schedule package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 11 Dec 2010 11:12:35 +0000
Source: gnome-schedule
Binary: gnome-schedule
Architecture: source i386
Version: 2.1.1-3.1
Distribution: unstable
Urgency: high
Maintainer: Alejandro Rios P. <aler...@debian.org>
Changed-By: Dmitrijs Ledkovs <dmitrij.led...@ubuntu.com>
Description:
gnome-schedule - GNOME scheduler for automatic tasks
Closes: 605167
Changes:
gnome-schedule (2.1.1-3.1) unstable; urgency=high
.
* Non-maintainer upload.
* Fix setting PYTHONPATH in an insecure way (Closes: #605167):
Checksums-Sha1:
9686fe4cc22f73d0871aa9681a1976b864428a75 1934 gnome-schedule_2.1.1-3.1.dsc
f3efdcff8caa500750a5c21ebcb5b1a940782d7b 30785 gnome-schedule_2.1.1-3.1.diff.gz
70cf1d93c8794785f676a7ceb7d86b2069f98784 1128388
gnome-schedule_2.1.1-3.1_i386.deb
Checksums-Sha256:
fedb2551e76e22c297105827af2b9fdf9eb962f3225665898a90cdd8ea0e223c 1934
gnome-schedule_2.1.1-3.1.dsc
1bc485d58779729749c6fcab2fd6e0bd158a37620a6b6133d38fdbe97a317836 30785
gnome-schedule_2.1.1-3.1.diff.gz
c1cb6f00e025267489878e2389079e66a3fbbd30546a5d3869ce2e86dc92b3ca 1128388
gnome-schedule_2.1.1-3.1_i386.deb
Files:
3c5ef711e82909d62ff1f9fd7abbffa3 1934 gnome optional
gnome-schedule_2.1.1-3.1.dsc
6b157e2c6e09d3fcfb211ab6e21eb3ea 30785 gnome optional
gnome-schedule_2.1.1-3.1.diff.gz
3c6bc0337225b81effba37d5e7ff49e3 1128388 gnome optional
gnome-schedule_2.1.1-3.1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iQIcBAEBCAAGBQJNB16xAAoJEC1Os6YBVHX1clAP/3qdtDOsWY1mDFMp4Xs3Ya7v
99MCXLboDNmD7PHHee/FzNk+d+yKPPsEIzA4UqGyL8QO4CXGyNEF3ZoMDgJCAxfr
7zOv1vccgrrNnlAkTRyln+5WJnuqVTPzRpIv0Mi+uw701tyGIMmrvADH0nRrOHa9
9H1hDy50ApGy/W7DDD/JGj78+nz/UnLwbAAu/XcHaMS6rayfnkObUzSeY9KBNYQ1
j7fDEZGpefpgQaE8iOc23IC7e+kwDOw9dxfMAuUPZ1y65O+iQmFrmYSKe7K2VvlO
HcYoRkQqd3srQasutBBU/1RTu1qkQEMIqzKDPsirPCe+S0nCJBZpKfX+BJEpX1EN
Rb1arX6UbR9ey7AX56yQmpWu5zk7G5cnalY80cRcUG7msdQ4u9EiGYwgw1zvQs4w
QnlZ6ON0DIhyMxAT9k7ZsFOPsWJeUxKCwIZ1Xl3V3TuiIdHPgWgHdu0I/JV8f+bN
oXIi/MkrWaH3ZK2sHIlq0ErueYfEBKpvJOZj+GB+RcjsFM5tzwz/PqMOQg482+hd
gw4sWTwBWXWH0Vxx1yldFqsSqTlLrJWz1v/+ZYI/Bkk+qFlON4KOZXoqeMLZSm28
VwPxgZipPh2XdScbvjfLGwCH/4/OmV1gFIZs+T+oyiTqbaJ39lraV9AWqgLc2Nh4
B1f0De0ONSw6J59Fj0yT
=u29a
-----END PGP SIGNATURE-----
--- End Message ---
