[Scons-dev] script/scons
Jörg Frings-Fürst
debian at jff-webhosting.net
Sat Nov 8 06:41:37 EST 2014
Hallo Dirk,
Am Samstag, den 08.11.2014, 11:58 +0100 schrieb Dirk Bächle:
> Hi Jörg,
>
> On 08.11.2014 11:42, Jörg Frings-Fürst wrote:
> > Hello,
> >
> > from Helmut Grohne <helmut at subdivi.de> I have just get:
> >
> >
[...]
> > Any hints about this?
> I fail to see how this affects the integrity and security of a Debian
> installation/distribution. When Helmut Grohne says that "the Debian
> package almost certainly should revert it." is this based on anything
> more than his very personal opinion, and a good portion of FUD?
>
Form irc:
[08:00:45] <helmut> is having "." in the library path for a python application generally considered a vulnerability?
[08:45:03] <womble> helmut: It certainly isn't a *good* thing. If it runs with any sort of elevated privileges, it's *definitely* exploitable.
[09:56:04] <carnil> helmut, womble: reminds me as example to perl e.g. there is #588017, one puppet CVE in similar regard was http://puppetlabs.com/security/cve/cve-2014-3248, or #591676
[09:56:14] [zwiebelbot] Debian#588017: perl: current directory in @INC potentially harmful - https://bugs.debian.org/588017
[09:56:15] [zwiebelbot] Debian#591676: pylint: please either disable or document dynamic checks - https://bugs.debian.org/591676
> Best regards,
>
> Dirk
CU
Jörg
--
pgp Fingerprint: 7D13 3C60 0A10 DBE1 51F8 EBCB 422B 44B0 BE58 1B6E
pgp Key: BE581B6E
CAcert Key S/N: 0E:D4:56
Jörg Frings-Fürst
D-54526 Niederkail
Threema: SYR8SJXB
IRC: j_f-f at freenode.net
j_f-f at oftc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part
URL: <https://pairlist2.pair.net/pipermail/scons-dev/attachments/20141108/07e57822/attachment.pgp>
More information about the Scons-dev
mailing list