[Python-modules-team] Bug#737778: [oss-security] CVE request: f2py insecure temporary file use
Murray McAllister
mmcallis at redhat.com
Thu Feb 6 22:47:05 UTC 2014
On 02/06/2014 02:59 PM, Murray McAllister wrote:
> Hello,
>
> Jakub Wilk reported insecure temporary file use in f2py. From
> <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737778>:
>
> ""
> numpy/f2py/__init__.py contains this code:
>
> from numpy.distutils.exec_command import exec_command
> import tempfile
> if source_fn is None:
> fname = os.path.join(tempfile.mktemp()+'.f')
> else:
> fname = source_fn
>
> f = open(fname,'w')
> ""
>
> Can a CVE please be assigned if one hasn't been already?
>
> References:
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737778
> https://bugzilla.redhat.com/show_bug.cgi?id=1062009
>
> Thanks,
Thomas Spura noted in the Red Hat Bugzilla that a patch has been merged
upstream:
https://github.com/numpy/numpy/pull/4262
More information about the Python-modules-team
mailing list