[Python-modules-team] Bug#652653: python-virtualenv: insecure /tmp file handling

Adam D. Barratt adam at adam-barratt.org.uk
Tue Dec 20 20:18:13 UTC 2011

On Tue, 2011-12-20 at 09:44 +0100, Piotr Ożarowski wrote:
> [Adam D. Barratt, 2011-12-19]
> > I noticed that an upload which appears to fix this issue (although
> > without reference the bug number) has appeared in p-u-NEW.  Whilst
> sorry, I didn't notice a bug was reported

No worries.  I assumed the upload was a consequence of the bug report,
given the timing, but obviously not.

> > that's an admirable turn-around :-) it really should have been discussed
> > with the SRMs first, rather than simply uploading (I believe this is
> > well documented enough by now - if not, please point out where and how
> > we could make it clearer).
> ups, I assumed someone from SRMs is in the thread

If the thread involved the security team saying "please fix this via
proposed-updates", there's an implied "by talking to the release team"
attached.  We're generally not involved in such discussions until after
the security team have decided they don't want to issue a DSA for a
particular issue and someone raises it with us.

> > Looking at the diff, and the equivalent code in the unstable package,
> > there seems to be a missing component - namely, that the directory
> > created via mkdtemp() is never cleaned up.  Am I missing something, or
> > does fixing this issue result in orphaned temporary directories?
> the old code didn't do it as well,

Well, trying to remove /tmp would be a silly idea. ;-)

> I can update the patch to remove it

That would be good, although in that case the change should be made in
unstable first (and pushed upstream?).



More information about the Python-modules-team mailing list