[Bug 1220478] Re: /usr/bin/eyeD3 depends on PATH to find python, crashes with ImportError

Sat Sep 14 03:00:26 UTC 2013

Ok.
P.S. I marked it as security sensitive because it involves an unexpected 
search of $PATH to find an executable.

On 09/13/2013 01:26 PM, Marc Deslauriers wrote:
> Thanks for taking the time to report this bug and helping to make Ubuntu
> better. We appreciate the difficulties you are facing, but this appears
> to be a "regular" (non-security) bug.  I have unmarked it as a security
> issue since this bug does not show evidence of allowing attackers to
> cross privilege boundaries nor directly cause loss of data/privacy.
> Please feel free to report any other bugs you may find.
>
> ** Information type changed from Private Security to Public
>

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to eyed3 in Ubuntu.
https://bugs.launchpad.net/bugs/1220478

Title:
  /usr/bin/eyeD3 depends on PATH to find python, crashes with
  ImportError

Status in “eyed3” package in Ubuntu:
  New

Bug description:
  /usr/bin/eyeD3 is a python script which starts with

       #!/usr/bin/env python

  but instead should hard-code the path where Ubuntu installed the
  version of python which has eyeD3's companion libraries:

       #!/usr/bin/python

  Depending on PATH leads to disaster if multiple python executables are
  installed and anything other than the system default is first in PATH.
  The problem is that eyeD3 depends on its own app-specific libraries,
  and each python installation uses its own separate library
  directories.  So if the "wrong" python interpreter is used, the
  expected libraries will not be found.  This causes the eye3D program
  to crash with

      ImportError: No module named eyeD3

  In particular, if a Libre Office test build is installed and
  /opt/libreoffice*/program is before /usr/bin in PATH (as it must be to
  use conveniently), then "eyeD3" crashes with an import error because
  libreoffice comes with its own python installation.

  This is also a security risk because a script named "python" will be
  executed without the user's knowledge if "." is in PATH before
  /usr/bin

  ProblemType: Bug
  DistroRelease: Ubuntu 13.04
  Package: eyed3 0.6.18-1
  ProcVersionSignature: Ubuntu 3.8.0-29.42-generic 3.8.13.5
  Uname: Linux 3.8.0-29-generic x86_64
  ApportVersion: 2.9.2-0ubuntu8.3
  Architecture: amd64
  Date: Tue Sep  3 16:47:18 2013
  InstallationDate: Installed on 2013-08-06 (28 days ago)
  InstallationMedia: Ubuntu 13.04 "Raring Ringtail" - Release amd64 (20130424)
  MarkForUpload: True
  PackageArchitecture: all
  SourcePackage: eyed3
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/eyed3/+bug/1220478/+subscriptions