[Python-modules-team] Bug#737778: python-numpy: insecure use of /tmp
Jakub Wilk
jwilk at debian.org
Wed Feb 5 21:16:42 UTC 2014
Package: python-numpy
Version: 1:1.7.1-3
Severity: important
Tags: security
numpy/f2py/__init__.py contains this code:
from numpy.distutils.exec_command import exec_command
import tempfile
if source_fn is None:
fname = os.path.join(tempfile.mktemp()+'.f')
else:
fname = source_fn
f = open(fname,'w')
From the tempfile.mktemp() docstring: “This function is unsafe and
should not be used. The file name refers to a file that did not exist at
some point, but by the time you get around to creating it, someone else
may have beaten you to the punch.”
(There are other calls to tempfile.mktemp() in the numpy codebase, but I
haven't checked them.)
--
Jakub Wilk
More information about the Python-modules-team
mailing list