[Python-modules-team] Bug#798010: Bug#798010: ipython3: malicious dynamic python3 interpreter lookup via "/usr/bin/env python3" in main executable

Scott Kitterman debian at kitterman.com
Fri Sep 4 13:34:47 UTC 2015


On Friday, September 04, 2015 02:30:47 PM Tobias Megies wrote:
> Package: ipython3
> Version: 2.3.0-2
> Severity: serious
> Justification: Debian Python Policy 2.4.2: Interpreter Location
> 
> Dear Maintainer,
> 
> the main executable /usr/bin/ipython3 has shebang line 1 "#!/usr/bin/env
> python3" and thus uses the first python3 interpreter found in $PATH doing a
> dynamic lookup at execution time.
> If a local user-space Python environment is coming first in $PATH it will
> thus yield the Python3 IPython prompt from user space and not from the
> system python. This will result in very puzzling situation and clearly is
> in violation of the Debian Python Policy which demands the hardcoded system
> python binary in shebang.
> 
> See Debian Python Policy 2.4.2 Interpreter location:
> https://www.debian.org/doc/packaging-manuals/python-policy/ch-> python.html#s-interpreter_loc
> 
> === quote start
> The preferred specification for the Python interpreter is /usr/bin/python or
> /usr/bin/pythonX.Y. This ensures that a Debian installation of python is
> used and all dependencies on additional python modules are met.
> Maintainers should not override the Debian Python interpreter using
> /usr/bin/env python or /usr/bin/env pythonX.Y. This is not advisable as it
> bypasses Debian's dependency checking and makes the package vulnerable to
> incomplete local installations of python.
> === quote end

First, Python policy is not Debian policy, so violating it doesn't 
automatically make a serious bug.  Second, the policy says preferred and 
should quite deliberately as the /usr/bin/env approach is quite common in the 
Python world and we do not want to force maintainers to patch large numbers of 
packages to avoid it.

Scott K
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.alioth.debian.org/pipermail/python-modules-team/attachments/20150904/992849ed/attachment.sig>


More information about the Python-modules-team mailing list