Your message dated Mon, 29 Nov 2010 19:36:12 +0100 with message-id <20101129183612.ga27...@inutil.org> and subject line Re: mmass: Use of PYTHONPATH env var in an insecure way has caused the Debian Bug report #605150, regarding mmass: Use of PYTHONPATH env var in an insecure way to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 605150: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=605150 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: mmass Version: 3.8.0-1 Severity: grave Tags: security User: debian-pyt...@lists.debian.org Usertags: pythonpath Jakub Wilk performed an analysis[1] for packages setting PYTHONPATH in an insecure way. Those packages do something like: PYTHONPATH=/spam/eggs:$PYTHONPATH This is wrong, because if PYTHONPATH were originally unset or empty, current working directory would be added to sys.path. [1] http://lists.debian.org/debian-python/2010/11/msg00045.html Your package turns out to have vulnerable scripts in PATH: you can find a complete log at [2]. [2] http://people.debian.org/~morph/mbf/pythonpath.txt Some guidelines on how to fix these bugs: in the case given above, you can use something like PYTHONPATH=/spam/eggs${PYTHONPATH:+:$PYTHONPATH} (If you don't known this construct, grep for "Use Alternative Value" in the bash/dash manpage.) Also, in cases like PYTHONPATH=/usr/lib/python2.5/site-packages/:$PYTHONPATH or PYTHONPATH=$PYTHONPATH:$SPAMDIR exec python $SPAMDIR/spam.py you shouldn't need to touch PYTHONPATH at all. Feel free to contact debian-pyt...@lists.debian.org in case of help.
--- End Message ---
--- Begin Message ---Version: 3.8.0-2 On Sat, Nov 27, 2010 at 10:38:36PM +0000, Sandro Tosi wrote: > Package: mmass > Version: 3.8.0-1 > Severity: grave > Tags: security > User: debian-pyt...@lists.debian.org > Usertags: pythonpath > > Jakub Wilk performed an analysis[1] for packages setting PYTHONPATH in > an insecure way. Those packages do something like: > > PYTHONPATH=/spam/eggs:$PYTHONPATH Fixed by a maintainer upload, but a bug closer was forgotten. mmass maintainers, you still still a fix for Squeeze, please get in contact with the release managers for a targeted tpu fix. Cheers, Moritz
--- End Message ---
