ytrstu / distcc

Automatically exported from code.google.com/p/distcc
GNU General Public License v2.0
0 stars 0 forks source link

pump wrapper sets PYTHONPATH insecurely #109

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
1. What version of distcc are you using (e.g. "2.7.1")?

3.1 (Debian)

Forwarding a patch from Debian for a potential security problem in pump wrapper 
(pump.in).  From the original investigation[1] and bug report[2]:

A number of packages in the archive sets the PYTHONPATH environment variable in 
an insecure way. They do something like:

      PYTHONPATH=/spam/eggs:$PYTHONPATH

This is wrong, because if PYTHONPATH were originally unset or empty, current 
working directory would be added to sys.path.

[1] http://lists.debian.org/debian-python/2010/11/msg00045.html
[2] http://bugs.debian.org/605168

Original issue reported on code.google.com by mand...@gmail.com on 3 May 2012 at 3:56

Attachments:

GoogleCodeExporter commented 9 years ago
Patch applied in svn revision 768.

Original comment by fergus.h...@gmail.com on 3 May 2012 at 9:02