[Python-apps-team] Bug#785627: mayavi2: malicious dynamic python interpreter lookup via "/usr/bin/env python" in main executable

Tobias Megies megies at geophysik.uni-muenchen.de
Mon May 18 13:14:06 UTC 2015 

Package: mayavi2
Version: 4.3.1-3.1
Severity: serious
Justification: Debian Python Policy 2.4.2: Interpreter Location

Dear Maintainer,

when running /usr/bin/mayavi2 it uses the first python interpreter found in
$PATH by using "#!/usr/bin/env python" as shebang in line 1.
If a local user-space Python environment is coming first in $PATH this is bound
to fail, because module dependencies might not be there or might be there in
the wrong versions.

See Debian Python Policy 2.4.2 Interpreter location:
https://www.debian.org/doc/packaging-manuals/python-policy/ch-
python.html#s-interpreter_loc

=== quote start
The preferred specification for the Python interpreter is /usr/bin/python or
/usr/bin/pythonX.Y. This ensures that a Debian installation of python is used
and all dependencies on additional python modules are met.
Maintainers should not override the Debian Python interpreter using
/usr/bin/env python or /usr/bin/env pythonX.Y. This is not advisable as it
bypasses Debian's dependency checking and makes the package vulnerable to
incomplete local installations of python.
=== quote end


best regards,
Tobias Megies



-- System Information:
Debian Release: 8.0
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages mayavi2 depends on:
ii  libc6                             2.19-18
ii  libjs-jquery                      1.7.2+dfsg-3.2
ii  python                            2.7.9-1
ii  python-apptools                   4.2.1-1
ii  python-configobj                  5.0.6-1
ii  python-envisage                   4.4.0-1
ii  python-numpy [python-numpy-abi9]  1:1.8.2-2
ii  python-pkg-resources              5.5.1-1
ii  python-traits                     4.4.0-1
ii  python-traitsui                   4.4.0-1.3
ii  python-vtk                        5.8.0-17.5
ii  python-wxgtk3.0                   3.0.1.1+dfsg-2

mayavi2 recommends no packages.

Versions of packages mayavi2 suggests:
pn  ipython       <none>
ii  python-scipy  0.14.0-2

-- no debconf information

More information about the Python-apps-team mailing list