Bug#605157: calendarserver: Use of PYTHONPATH env var in an insecure way

* Dmitrijs Ledkovs dmitrij.led...@ubuntu.com, 2010-12-10, 01:25: I have tested this by running calendarserver with without new patch and I can add/retrieve calendar events over the network using thunderbird-lightning. The new patch looks good. I'll upload Dmitrijs' NMU shortly (with

Processed: Re: Bug#605157: calendarserver: Use of PYTHONPATH env var in an insecure way

Processing commands for cont...@bugs.debian.org: tags 605157 + patch Bug #605157 [calendarserver] calendarserver: Use of PYTHONPATH env var in an insecure way Bug #605166 [calendarserver] calendarserver: Use of PYTHONPATH env var in an insecure way Added tag(s) patch. Added tag(s) patch.

Bug#605157: calendarserver: Use of PYTHONPATH env var in an insecure way

tags 605157 + patch thanks Jakub Wilk jw...@debian.org writes: tags 605157 - patch thanks * Dmitrijs Ledkovs dmitrij.led...@ubuntu.com, 2010-12-03, 22:37: With my patch applied the resulting /usr/bin/caldavd has:

Bug#605157: calendarserver: Use of PYTHONPATH env var in an insecure way

On Fri, Dec 03, 2010 at 09:45:04PM +, Dmitrijs Ledkovs wrote: tags 605157 patch thanks Dear maintainer, I've prepared an NMU for calendarserver (versioned as 2.4.dfsg-2.1). I will seek sponsorship to upload for delayed queue. If anyone is sponsoring a fixed package, please upload

Bug#605157: calendarserver: Use of PYTHONPATH env var in an insecure way

tags 605157 - patch thanks * Dmitrijs Ledkovs dmitrij.led...@ubuntu.com, 2010-12-03, 22:37: With my patch applied the resulting /usr/bin/caldavd has: PYTHONPATH=/usr/lib/twisted-calendarserver/lib/python2.6/site-packages/:+:$PYTHONPATH So if PYTHONPATH was originally empty or unset, this

Processed: Re: Bug#605157: calendarserver: Use of PYTHONPATH env var in an insecure way

Processing commands for cont...@bugs.debian.org: tags 605157 - patch Bug #605157 [calendarserver] calendarserver: Use of PYTHONPATH env var in an insecure way Bug #605166 [calendarserver] calendarserver: Use of PYTHONPATH env var in an insecure way Removed tag(s) patch. Removed tag(s) patch.

Bug#605157: calendarserver: Use of PYTHONPATH env var in an insecure way

tags 605157 patch thanks Dear maintainer, I've prepared an NMU for calendarserver (versioned as 2.4.dfsg-2.1). I will seek sponsorship to upload for delayed queue. pgpnKC0OaxJiL.pgp Description: PGP signature === modified file 'debian/changelog' --- a/debian/changelog 2010-08-25 15:23:37

Bug#605157: calendarserver: Use of PYTHONPATH env var in an insecure way

Hi Dmitrijs, +@@ -145,7 +145,7 @@ + line = line.rstrip(\n) + if fileType == sh: + if line == #PYTHONPATH: +-script.append('PYTHONPATH=%s:$PYTHONPATH' % (install_lib,)) ++script.append('PYTHONPATH=%s:+:$PYTHONPATH'

Bug#605157: calendarserver: Use of PYTHONPATH env var in an insecure way

Jakub Wilk jw...@debian.org writes: Hi Dmitrijs, +@@ -145,7 +145,7 @@ + line = line.rstrip(\n) + if fileType == sh: + if line == #PYTHONPATH: +-script.append('PYTHONPATH=%s:$PYTHONPATH' % (install_lib,)) ++

Bug#605157: calendarserver: Use of PYTHONPATH env var in an insecure way

Jakub Wilk jw...@debian.org writes: Hi Dmitrijs, +@@ -145,7 +145,7 @@ + line = line.rstrip(\n) + if fileType == sh: + if line == #PYTHONPATH: +-script.append('PYTHONPATH=%s:$PYTHONPATH' % (install_lib,)) ++

Bug#605157: calendarserver: Use of PYTHONPATH env var in an insecure way

Package: calendarserver Version: 2.4.dfsg-2 Severity: grave Tags: security User: debian-pyt...@lists.debian.org Usertags: pythonpath Jakub Wilk performed an analysis[1] for packages setting PYTHONPATH in an insecure way. Those packages do something like: PYTHONPATH=/spam/eggs:$PYTHONPATH