Re: Bug#652653: python-virtualenv: insecure /tmp file handling
On Tue, 2011-12-20 at 09:44 +0100, Piotr Ożarowski wrote:
> [Adam D. Barratt, 2011-12-19]
> > I noticed that an upload which appears to fix this issue (although
> > without reference the bug number) has appeared in p-u-NEW. Whilst
> sorry, I didn't notice a bug was reported
No worries. I assumed the upload was a consequence of the bug report,
given the timing, but obviously not.
> > that's an admirable turn-around :-) it really should have been discussed
> > with the SRMs first, rather than simply uploading (I believe this is
> > well documented enough by now - if not, please point out where and how
> > we could make it clearer).
> ups, I assumed someone from SRMs is in the thread
If the thread involved the security team saying "please fix this via
proposed-updates", there's an implied "by talking to the release team"
attached. We're generally not involved in such discussions until after
the security team have decided they don't want to issue a DSA for a
particular issue and someone raises it with us.
> > Looking at the diff, and the equivalent code in the unstable package,
> > there seems to be a missing component - namely, that the directory
> > created via mkdtemp() is never cleaned up. Am I missing something, or
> > does fixing this issue result in orphaned temporary directories?
> the old code didn't do it as well,
Well, trying to remove /tmp would be a silly idea. ;-)
> I can update the patch to remove it
That would be good, although in that case the change should be made in
unstable first (and pushed upstream?).