[Debian-med-packaging] Bug#751586: python-biopython: tests are run with HOME=/tmp
Jakub Wilk
jwilk at debian.org
Sat Jun 14 14:11:47 UTC 2014
Source: python-biopython
Version: 1.64+dfsg-1
Tags: security
This package runs tests with HOME to to /tmp. But software that creates
files in $HOME (including Biopython itself) expect that this directory
is only writable by trusted users, whereas /tmp is world-writable.
A malicious local user could exploit this flaw to force tests failure by
creating the /tmp/.config file, preventing creation of
$HOME/.config/biopython. It is likely that more sophisticated (and more
harmful) attacks are also possible.
--
Jakub Wilk
More information about the Debian-med-packaging
mailing list