Your message dated Sun, 28 Nov 2010 14:47:46 +0000
with message-id <e1pmixa-0000eu...@franck.debian.org>
and subject line Bug#605163: fixed in guake 0.4.2-3
has caused the Debian Bug report #605163,
regarding guake: Use of PYTHONPATH env var in an insecure way
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
605163: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=605163
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: guake
Version: 0.4.2-2
Severity: grave
Tags: security
User: debian-pyt...@lists.debian.org
Usertags: pythonpath
Jakub Wilk performed an analysis[1] for packages setting PYTHONPATH in
an insecure way. Those packages do something like:
PYTHONPATH=/spam/eggs:$PYTHONPATH
This is wrong, because if PYTHONPATH were originally unset or empty,
current working directory would be added to sys.path.
[1] http://lists.debian.org/debian-python/2010/11/msg00045.html
Your package turns out to have vulnerable scripts in PATH: you can
find a complete log at [2].
[2] http://people.debian.org/~morph/mbf/pythonpath.txt
Some guidelines on how to fix these bugs: in the case given above, you
can use something like
PYTHONPATH=/spam/eggs${PYTHONPATH:+:$PYTHONPATH}
(If you don't known this construct, grep for "Use Alternative Value"
in the bash/dash manpage.)
Also, in cases like
PYTHONPATH=/usr/lib/python2.5/site-packages/:$PYTHONPATH
or
PYTHONPATH=$PYTHONPATH:$SPAMDIR exec python $SPAMDIR/spam.py
you shouldn't need to touch PYTHONPATH at all.
Feel free to contact debian-pyt...@lists.debian.org in case of
help.
--- End Message ---
--- Begin Message ---
Source: guake
Source-Version: 0.4.2-3
We believe that the bug you reported is fixed in the latest version of
guake, which is due to be installed in the Debian FTP archive:
guake_0.4.2-3.diff.gz
to main/g/guake/guake_0.4.2-3.diff.gz
guake_0.4.2-3.dsc
to main/g/guake/guake_0.4.2-3.dsc
guake_0.4.2-3_i386.deb
to main/g/guake/guake_0.4.2-3_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 605...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sylvestre Ledru <sylves...@debian.org> (supplier of updated guake package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sun, 28 Nov 2010 14:57:37 +0100
Source: guake
Binary: guake
Architecture: source i386
Version: 0.4.2-3
Distribution: unstable
Urgency: high
Maintainer: Sylvestre Ledru <sylves...@debian.org>
Changed-By: Sylvestre Ledru <sylves...@debian.org>
Description:
guake - A drop-down terminal for GNOME Desktop Environment
Closes: 605163
Changes:
guake (0.4.2-3) unstable; urgency=high
.
* Fix a security issue in an incorrect usage of PYTHONPATH (Closes: #605163)
Checksums-Sha1:
7f90840707b9019e1b19781f2b59aa027425fe5e 1270 guake_0.4.2-3.dsc
d62f4482219ada135333bc9e287f5f7a9c2ce6e7 3544 guake_0.4.2-3.diff.gz
fcfff49edcdf1d4551cd46ed35a5358ffa8cfeee 157200 guake_0.4.2-3_i386.deb
Checksums-Sha256:
a9d8aa7768a5bae607cb7035990bc3ca751c9f1897d46b6b72a3cc0552f8bc92 1270
guake_0.4.2-3.dsc
4af7a301191b4f7c985f7a40111286003cbc88f7b9d8e7f6c43db854ce0eae28 3544
guake_0.4.2-3.diff.gz
7a1df538c05019b3c56d88e8b56f239c26eda8033f9cac9f62156fd7fccf2b4c 157200
guake_0.4.2-3_i386.deb
Files:
e2633be0e641c09f2ce5f180b5ecf133 1270 x11 optional guake_0.4.2-3.dsc
edeb49336e3fc98de762d2eac482becf 3544 x11 optional guake_0.4.2-3.diff.gz
78c55b7afe9c62ffb65cae65a653f3ae 157200 x11 optional guake_0.4.2-3_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAkzyYzAACgkQiOXXM92JlhCPEwCfay9qoo7+AGneaH9Iwww68D0b
sm4AoKSgAjqj4a8ZDHxaDPTxBRhR8QiQ
=nsXy
-----END PGP SIGNATURE-----
--- End Message ---
