[Pkg-corba-devel] Bug#605188: python-omniorb-doc: Use of PYTHONPATH env var in an insecure way

Sandro Tosi morph at debian.org
Sat Nov 27 22:45:57 UTC 2010

Package: python-omniorb-doc
Version: 3.3-1
Severity: important
Tags: security
User: debian-python at lists.debian.org
Usertags: pythonpath

Jakub Wilk performed an analysis[1] for packages setting PYTHONPATH in
an insecure way. Those packages do something like:


This is wrong, because if PYTHONPATH were originally unset or empty,
current working directory would be added to sys.path.

[1] http://lists.debian.org/debian-python/2010/11/msg00045.html

Your package turns out to ship vulnerable examples or contains
insecure advices: you can find a complete log at [2].

[2] http://people.debian.org/~morph/mbf/pythonpath.txt

Some guidelines on how to fix these bugs: in the case given above, you
can use something like


(If you don't known this construct, grep for "Use Alternative Value"
in the bash/dash manpage.)

Also, in cases like




you shouldn't need to touch PYTHONPATH at all.

Feel free to contact debian-python at lists.debian.org in case of

More information about the Pkg-corba-devel mailing list