Bug#663217: zenmap's sys.path includes /tmp locations

Thu, 29 Mar 2012 15:57:17 -0700 

On Fri, Mar 09, 2012 at 02:57:03PM +0100, chrysn wrote:
> Package: zenmap
> Version: 5.21-1.1
> Severity: grave
> Tags: security
> 
> the zenmap script modifies its sys.path to include
> '/tmp/nmap-5.21/debian/tmp/usr/lib/python2.6/site-packages/', which is
> inserted at build time from setyp.py.

Thank you for the report.  This is indeed a problem if you initially
build and install into a world-writeable directory
(e.g. /tmp/nmap-5.21/debian) and then copy the files elsewhere as part
of a distribution.  This feature is meant to set the module path for
cases where people install Nmap in nondefault (but secure) locations,
such as their home directory.  But it isn't a very important feature,
and we may be able to support that in other ways.  So we have removed
the set_modules_path function and the call to it from
nmap/zenmap/setup.py in our source code repository.  That change will
be in future Nmap releases, and here is the patch:

Modified: nmap/zenmap/setup.py
==============================================================================
--- nmap/zenmap/setup.py        (original)
+++ nmap/zenmap/setup.py        Mon Mar 26 19:14:22 2012
@@ -205,7 +205,6 @@
         install.run(self)

         self.set_perms()
-        self.set_modules_path()
         self.fix_paths()
         self.create_uninstaller()
         self.write_installed_files()
@@ -307,32 +306,6 @@
         mode = ((os.stat(uninstaller_filename)[ST_MODE]) | 0555) & 07777
         os.chmod(uninstaller_filename, mode)

-    def set_modules_path(self):
-        app_file_name = os.path.join(self.install_scripts, APP_NAME)
-        # Find where the modules are installed. distutils will put them in
-        # self.install_lib, but that path can contain the root (DESTDIR), so we
-        # must strip it off if necessary.
-        modules = self.install_lib
-        if self.root is not None:
-            modules = path_strip_prefix(modules, self.root)
-
-        ufile = open(app_file_name, "r")
-        ucontent = ufile.readlines()
-        ufile.close()
-
-        # Insert our custom import after the first non-comment line.
-        re_sys = re.compile("^#")
-        uline = 0
-        for line in ucontent:
-            if not re_sys.match(line):
-                break
-            uline += 1
-        ucontent.insert(uline, "\nimport sys\nsys.path.append(%s)\n" % 
repr(modules))
-
-        ufile = open(app_file_name, "w")
-        ufile.writelines(ucontent)
-        ufile.close()
-
     def set_perms(self):
         re_bin = re.compile("(bin|\.sh)")
         for output in self.get_installed_files():




-- 
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]

Reply via email to