command-not-found clashes with local python3 in path

Bug #1585696 reported by Ryan MacDonell on 2016-05-25
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
command-not-found (Ubuntu)
Undecided
Adam Conrad
Xenial
Undecided
Adam Conrad

Bug Description

In Ubuntu 14.04 (and Linux Mint 17), /etc/bash.bashrc handles "command not found" with the function command_not_found_handle, which contains the line:

/usr/bin/python /usr/lib/command-not-found -- $1

However, /usr/lib/command-not-found was rewritten for Python 3. To handle this, /usr/lib/command-not-found has (lines 17-22):

if sys.version < '3':
    # We might end up being executed with Python 2 due to an old
    # /etc/bash.bashrc.
    import os
    if "COMMAND_NOT_FOUND_FORCE_PYTHON2" not in os.environ:
        os.execvp("python3", [sys.argv[0]] + sys.argv)

This catches old versions of python and re-runs command-not-found with python3 from the path. If a local version of Python (such as Anaconda) is installed, command-not-found will try to execute with the local python3 and gives:

Could not find platform independent libraries <prefix>
Could not find platform dependent libraries <exec_prefix>
Consider setting $PYTHONHOME to <prefix>[:<exec_prefix>]
Fatal Python error: Py_Initialize: Unable to get the locale encoding
ImportError: No module named 'encodings'

Current thread 0x00007f04862de740 (most recent call first):
Aborted

This can be solved by replacing line 22 of /usr/lib/command-not-found with:

os.execv("/usr/bin/python3", [sys.argv[0]] + sys.argv)

Searching for "os.execvp", it doesn't appear that the same error occurs for any other scripts in /usr/lib/. Any script using os.execvp with the correct permissions is a potential security vulnerability if the path is changed to contain a malicious script under the correct name. Fortunately this is not the case for command-not-found.

Related branches

description: updated
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package command-not-found - 0.3ubuntu16.10.0

---------------
command-not-found (0.3ubuntu16.10.0) yakkety; urgency=medium

  * command-not-found: Specify full path to python3 (LP: #1585696)
  * debian/rules: rm UnifiedDataExtractor/scan.data-old on clean.
  * Update data for yakkety, and add s390x database (LP: #1593592)

 -- Adam Conrad <email address hidden> Fri, 17 Jun 2016 00:41:31 -0600

Changed in command-not-found (Ubuntu):
status: New → Fix Released
Adam Conrad (adconrad) on 2016-06-20
Changed in command-not-found (Ubuntu):
assignee: nobody → Adam Conrad (adconrad)
Changed in command-not-found (Ubuntu Xenial):
assignee: nobody → Adam Conrad (adconrad)
status: New → In Progress

Hello Ryan, or anyone else affected,

Accepted command-not-found into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/command-not-found/0.3ubuntu16.04.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in command-not-found (Ubuntu Xenial):
status: In Progress → Fix Committed
tags: added: verification-needed
Adam Conrad (adconrad) wrote :

Verified that with a broken /usr/local/bin/python3, the old xenial command-not-found fails, the -proposed version succeeds.

tags: added: verification-done
removed: verification-needed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package command-not-found - 0.3ubuntu16.04.2

---------------
command-not-found (0.3ubuntu16.04.2) xenial; urgency=medium

  * Update data for xenial, and add s390x database (LP: #1593592)
  * ./update-from-web.sh: Pull from xenial data instead of devel.
  * debian/rules: rm UnifiedDataExtractor/scan.data-old on clean.
  * command-not-found: Define full path to python3 (LP: #1585696)

 -- Adam Conrad <email address hidden> Mon, 20 Jun 2016 10:27:40 -0600

Changed in command-not-found (Ubuntu Xenial):
status: Fix Committed → Fix Released

The verification of the Stable Release Update for command-not-found has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers