[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#863519: unblock blockdiag/1.5.3+dfsg-2



2017-05-31 5:38 GMT+09:00 Jonathan Wiltshire <jmw@debian.org>:
> On Sun, May 28, 2017 at 08:51:27AM +0900, Kouhei Maeda wrote:
>> +export PYBUILD_BEFORE_BUILD=cp -a $(CURDIR)/src/blockdiag.egg-info
>> {build_dir};cp -f $(CURDIR)/debian/circle.* /tmp/
>
> Apologies for not spotting it sooner, but there's a symlink vulnerability
> here (imagine if /tmp/circle.* was a symlink to something important),
> and I'm not sure that you should hardcode /tmp either ($TMPDIR?).
>
> I'm a bit concerned there's more going on here than just the bug fixes.
> What would the minimum required changes to fix #860689 and #847930 look
> like?

Thanks,

This change is temporarily copied for use in unit test.
It is coping with PYBUILD_BEFORE_BUILD, but I should use PYBUILD_BEFORE_TEST.
And, I had deleted the necessary deletion processing of temporary
files with PYBUILD_AFTER_TEST.

I will fix these.

Regards,

--
Kouhei Maeda <mkouhei at {palmtb.net,debian.or.jp}>
 KeyID 4096R/7E37CE41


Reply to: