[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#652653: python-virtualenv: insecure /tmp file handling

On Tue, 2011-12-20 at 09:44 +0100, Piotr Ożarowski wrote:
> [Adam D. Barratt, 2011-12-19]
> > I noticed that an upload which appears to fix this issue (although
> > without reference the bug number) has appeared in p-u-NEW.  Whilst
> sorry, I didn't notice a bug was reported

No worries.  I assumed the upload was a consequence of the bug report,
given the timing, but obviously not.

> > that's an admirable turn-around :-) it really should have been discussed
> > with the SRMs first, rather than simply uploading (I believe this is
> > well documented enough by now - if not, please point out where and how
> > we could make it clearer).
> ups, I assumed someone from SRMs is in the thread

If the thread involved the security team saying "please fix this via
proposed-updates", there's an implied "by talking to the release team"
attached.  We're generally not involved in such discussions until after
the security team have decided they don't want to issue a DSA for a
particular issue and someone raises it with us.

> > Looking at the diff, and the equivalent code in the unstable package,
> > there seems to be a missing component - namely, that the directory
> > created via mkdtemp() is never cleaned up.  Am I missing something, or
> > does fixing this issue result in orphaned temporary directories?
> the old code didn't do it as well,

Well, trying to remove /tmp would be a silly idea. ;-)

> I can update the patch to remove it

That would be good, although in that case the change should be made in
unstable first (and pushed upstream?).



Reply to: