Bug#863519: unblock blockdiag/1.5.3+dfsg-2
Kouhei Maeda:
> 2017-05-31 5:38 GMT+09:00 Jonathan Wiltshire <jmw@debian.org>:
>> On Sun, May 28, 2017 at 08:51:27AM +0900, Kouhei Maeda wrote:
>>> +export PYBUILD_BEFORE_BUILD=cp -a $(CURDIR)/src/blockdiag.egg-info
>>> {build_dir};cp -f $(CURDIR)/debian/circle.* /tmp/
>>
>> Apologies for not spotting it sooner, but there's a symlink vulnerability
>> here (imagine if /tmp/circle.* was a symlink to something important),
>> and I'm not sure that you should hardcode /tmp either ($TMPDIR?).
>>
>> I'm a bit concerned there's more going on here than just the bug fixes.
>> What would the minimum required changes to fix #860689 and #847930 look
>> like?
>
> Thanks,
>
> This change is temporarily copied for use in unit test.
> It is coping with PYBUILD_BEFORE_BUILD, but I should use PYBUILD_BEFORE_TEST.
> And, I had deleted the necessary deletion processing of temporary
> files with PYBUILD_AFTER_TEST.
>
> I will fix these.
>
> Regards,
>
> --
> Kouhei Maeda <mkouhei at {palmtb.net,debian.or.jp}>
> KeyID 4096R/7E37CE41
>
Hi Kouhei,
Thanks for working on improving blockdiag in Debian.
I am not confident that the "install -d" variant used in the -4 upload
is entirely safe from this symlink attack. Furthermore, it still causes
issues by:
* It would (still?) cause issues if multiple versions of blockdiag are
built on the same machine concurrently.
* It assumes /tmp rather than using $(TMPDIR) if set (minor issue)
A quick fix to both of these would be to place the temporary directory
in the "debian" directory (instead of /tmp/<hardcoded-folder>). That
would solve all of my concerns with the temporary directory used by the
build.
~Niels
Reply to: