Bug#863519: unblock blockdiag/1.5.3+dfsg-2

To: Kouhei Maeda <mkouhei@palmtb.net>, 863519@bugs.debian.org
Subject: Bug#863519: unblock blockdiag/1.5.3+dfsg-2
From: Jonathan Wiltshire <jmw@debian.org>
Date: Tue, 30 May 2017 21:38:15 +0100
Message-id: <[🔎] 20170530203815.qhjclonn4yieugqj@powdarrmonkey.net>
Reply-to: Jonathan Wiltshire <jmw@debian.org>, 863519@bugs.debian.org
In-reply-to: <[🔎] CACiqUQ-35VX2OKA_M=+xh-Z7+CDb4gPOkjsNEGhxkx93oe64mQ@mail.gmail.com>
References: <[🔎] CACiqUQ-35VX2OKA_M=+xh-Z7+CDb4gPOkjsNEGhxkx93oe64mQ@mail.gmail.com>

Control: tag -1 moreinfo

On Sun, May 28, 2017 at 08:51:27AM +0900, Kouhei Maeda wrote:
> +export PYBUILD_BEFORE_BUILD=cp -a $(CURDIR)/src/blockdiag.egg-info
> {build_dir};cp -f $(CURDIR)/debian/circle.* /tmp/

Apologies for not spotting it sooner, but there's a symlink vulnerability
here (imagine if /tmp/circle.* was a symlink to something important),
and I'm not sure that you should hardcode /tmp either ($TMPDIR?).

I'm a bit concerned there's more going on here than just the bug fixes.
What would the minimum required changes to fix #860689 and #847930 look
like?

-- 
Jonathan Wiltshire                                      jmw@debian.org
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51

Reply to:

Follow-Ups:
- Bug#863519: unblock blockdiag/1.5.3+dfsg-2
  - From: Kouhei Maeda <mkouhei@palmtb.net>

References:
- Bug#863519: unblock blockdiag/1.5.3+dfsg-2
  - From: Kouhei Maeda <mkouhei@palmtb.net>

Prev by Date: Processed: Re: Bug#863519: unblock blockdiag/1.5.3+dfsg-2
Next by Date: Fully Dutch translation of release-notes [Was: Re: Dutch release-notes translation - issues and whats-new ]
Previous by thread: Processed: Re: Bug#863519: unblock blockdiag/1.5.3+dfsg-2
Next by thread: Bug#863519: unblock blockdiag/1.5.3+dfsg-2
Index(es):
- Date
- Thread