On 08.11.2014 12:41, Jörg Frings-Fürst wrote:
Hallo Dirk,
Am Samstag, den 08.11.2014, 11:58 +0100 schrieb Dirk Bächle:
> Hi Jörg,
>
> On 08.11.2014 11:42, Jörg Frings-Fürst wrote:
> > Hello,
> >
> > from Helmut Grohne <[email protected]> I have just get:
> >
> >
[...]
> > Any hints about this?
> I fail to see how this affects the integrity and security of a Debian
> installation/distribution. When Helmut Grohne says that "the Debian
> package almost certainly should revert it." is this based on anything
> more than his very personal opinion, and a good portion of FUD?
>
Form irc:
[08:00:45] <helmut> is having "." in the library path for a python application
generally considered a vulnerability?
[08:45:03] <womble> helmut: It certainly isn't a *good* thing. If it runs with
any sort of elevated privileges, it's *definitely* exploitable.
[09:56:04] <carnil> helmut, womble: reminds me as example to perl e.g. there is
#588017, one puppet CVE in similar regard was
http://puppetlabs.com/security/cve/cve-2014-3248, or #591676
[09:56:14] [zwiebelbot] Debian#588017: perl: current directory in @INC
potentially harmful - https://bugs.debian.org/588017
In these first two references (I followed the given links), they talk
about adding "." (the current working directory) to the python path. We
don't do that, we add "scriptdir + .. + engine"...which is actually a
fully qualified path. It's just not "normalized" in the sense that it
has a ".." in it. Other than that, it's not different to any other
absolute path like, let's say, "/usr/lib/python2.7/site-packages"
[09:56:15] [zwiebelbot] Debian#591676: pylint: please either disable or
document dynamic checks - https://bugs.debian.org/591676
In this last link, there is no adding of "." to the python path
mentioned...and adding ".." is neither. So I don't regard it as being
relevant to the current discussion.
Regards,
Dirk
_______________________________________________
Scons-dev mailing list
[email protected]
https://pairlist2.pair.net/mailman/listinfo/scons-dev
