Hello Jakub,
nuitka creates temporary files insecurely in a few places:
* misc/make-dependency-graph.sh:
This is not part of the binary package, it's part of the upstream
tarball and purely a developer tool.
( sfood nuitka | egrep -v
"'(sys|signal|math|os.py|re.py|nuitka/(oset|odict).py)'" | sfood-graph |
dot -Tps >/tmp/out.ps ) && evince /tmp/out.ps
* nuitka/codegen/CppRawStrings.py:
source_file = open( "/tmp/raw_test.cpp", "w" )
It's also executing the compiled source put there, but only if
"_paranoid_debug" which is constant "False" in the source code. The
installed binary package cannot run this code, can it?
Do I need to take action here?
I probably should remove it from the source in a patch for Debian, or
make it more secure.
* bin/benchmark.sh:
$NUITKA_BINARY --exe --output-dir=/tmp/ --unstriped
$NUITKA_EXTRA_OPTIONS $1
Same as the first entry, this is not part of the binary package, it's
part of the upstream tarball and purely for developer purposes.
I have to admit, that I have little clues, on how to create temporary
directory names, or also how to do that in "/var/tmp" in any portable
way in shell script.
I will probably port the two scripts to Python and use the tempfile
module, which allows me to be better at it.
So, this bug will be addressed in the upcoming upstream release too.
Best regards,
Kay Hayen
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
