[Python-modules-team] Bug#652653: python-virtualenv: insecure /tmp file handling

Adam D. Barratt adam at adam-barratt.org.uk
Mon Dec 19 22:32:38 UTC 2011


On Mon, 2011-12-19 at 17:19 +0100, Nico Golde wrote:
> it was discovered that python-virtualenv is handling /tmp files in an insecure manner.
> The following patch fixed this problem:
> https://bitbucket.org/ianb/virtualenv/changeset/8be37c509fe5

I noticed that an upload which appears to fix this issue (although
without reference the bug number) has appeared in p-u-NEW.  Whilst
that's an admirable turn-around :-) it really should have been discussed
with the SRMs first, rather than simply uploading (I believe this is
well documented enough by now - if not, please point out where and how
we could make it clearer).

Looking at the diff, and the equivalent code in the unstable package,
there seems to be a missing component - namely, that the directory
created via mkdtemp() is never cleaned up.  Am I missing something, or
does fixing this issue result in orphaned temporary directories?



More information about the Python-modules-team mailing list