[Scons-dev] script/scons

Sat Nov 8 07:06:21 EST 2014

On 08.11.2014 12:41, Jörg Frings-Fürst wrote:
> Hallo Dirk,
>
> Am Samstag, den 08.11.2014, 11:58 +0100 schrieb Dirk Bächle:
> > Hi Jörg,
> >
> > On 08.11.2014 11:42, Jörg Frings-Fürst wrote:
> > > Hello,
> > >
> > > from Helmut Grohne <helmut at subdivi.de> I have  just get:
> > >
> > >
> [...]
> > > Any hints about this?
> > I fail to see how this affects the integrity and security of a Debian
> > installation/distribution. When Helmut Grohne says that "the Debian
> > package almost certainly should revert it." is this based on anything
> > more than his very personal opinion, and a good portion of FUD?
> >
>
> Form irc:
>
> [08:00:45] <helmut> is having "." in the library path for a python application generally considered a vulnerability?
> [08:45:03] <womble> helmut: It certainly isn't a *good* thing.  If it runs with any sort of elevated privileges, it's *definitely* exploitable.
> [09:56:04] <carnil> helmut, womble: reminds me as example to perl e.g. there is #588017, one puppet CVE in similar regard was http://puppetlabs.com/security/cve/cve-2014-3248, or #591676
> [09:56:14] [zwiebelbot] Debian#588017: perl: current directory in @INC potentially harmful - https://bugs.debian.org/588017

In these first two references (I followed the given links), they talk 
about adding "." (the current working directory) to the python path. We 
don't do that, we add "scriptdir + .. + engine"...which is actually a 
fully qualified path. It's just not "normalized" in the sense that it 
has a ".." in it. Other than that, it's not different to any other 
absolute path like, let's say, "/usr/lib/python2.7/site-packages"

> [09:56:15] [zwiebelbot] Debian#591676: pylint: please either disable or document dynamic checks - https://bugs.debian.org/591676
In this last link, there is no adding of "." to the python path 
mentioned...and adding ".." is neither. So I don't regard it as being 
relevant to the current discussion.

Regards,

Dirk