Debian Bug report logs - #605169
gnome-schedule: Use of PYTHONPATH env var in an insecure way

version graph

Package: gnome-schedule; Maintainer for gnome-schedule is (unknown);

Reported by: Sandro Tosi <morph@debian.org>

Date: Sat, 27 Nov 2010 22:43:03 UTC

Severity: grave

Tags: patch, security

Merged with 605167

Found in versions gnome-schedule/2.1.1-3, gnome-schedule/2.0.2-1.1

Fixed in version gnome-schedule/2.1.1-3.1

Done: Dmitrijs Ledkovs <dmitrij.ledkov@ubuntu.com>

Bug is archived. No further changes may be made.

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to alerios@debian.org (Alejandro Rios P.):
Bug#605169; Package gnome-schedule. (Sat, 27 Nov 2010 22:43:06 GMT) (full text, mbox, link).

Acknowledgement sent to Sandro Tosi <morph@debian.org>:
New Bug report received and forwarded. Copy sent to alerios@debian.org (Alejandro Rios P.). (Sat, 27 Nov 2010 22:43:06 GMT) (full text, mbox, link).

Message #5 received at maintonly@bugs.debian.org (full text, mbox, reply):

From: Sandro Tosi <morph@debian.org>
To: maintonly@bugs.debian.org
Subject: gnome-schedule: Use of PYTHONPATH env var in an insecure way
Date: Sat, 27 Nov 2010 22:38:36 +0000
Package: gnome-schedule
Version: 2.1.1-3
Severity: grave
Tags: security
User: debian-python@lists.debian.org
Usertags: pythonpath

Jakub Wilk performed an analysis[1] for packages setting PYTHONPATH in
an insecure way. Those packages do something like:

    PYTHONPATH=/spam/eggs:$PYTHONPATH

This is wrong, because if PYTHONPATH were originally unset or empty,
current working directory would be added to sys.path.

[1] http://lists.debian.org/debian-python/2010/11/msg00045.html

Your package turns out to have vulnerable scripts in PATH: you can
find a complete log at [2].

[2] http://people.debian.org/~morph/mbf/pythonpath.txt

Some guidelines on how to fix these bugs: in the case given above, you
can use something like

    PYTHONPATH=/spam/eggs${PYTHONPATH:+:$PYTHONPATH}

(If you don't known this construct, grep for "Use Alternative Value"
in the bash/dash manpage.)

Also, in cases like

   PYTHONPATH=/usr/lib/python2.5/site-packages/:$PYTHONPATH

or

   PYTHONPATH=$PYTHONPATH:$SPAMDIR exec python $SPAMDIR/spam.py

you shouldn't need to touch PYTHONPATH at all.

Feel free to contact debian-python@lists.debian.org in case of
help.

Merged 605167 605169. Request was from Piotr Ożarowski <piotr@debian.org> to control@bugs.debian.org. (Sat, 27 Nov 2010 23:09:11 GMT) (full text, mbox, link).

Bug Marked as found in versions gnome-schedule/2.0.2-1.1. Request was from Jakub Wilk <jwilk@debian.org> to control@bugs.debian.org. (Sun, 28 Nov 2010 13:21:22 GMT) (full text, mbox, link).

Added tag(s) patch. Request was from gregor herrmann <gregoa@debian.org> to control@bugs.debian.org. (Thu, 09 Dec 2010 14:09:06 GMT) (full text, mbox, link).

Added tag(s) pending. Request was from Jakub Wilk <jwilk@debian.org> to control@bugs.debian.org. (Tue, 14 Dec 2010 12:12:09 GMT) (full text, mbox, link).

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 07 Mar 2011 09:40:22 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jan 22 16:51:52 2025; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.