Bug#737778: [oss-security] CVE request: f2py insecure temporary file use

Murray McAllister Thu, 06 Feb 2014 14:52:08 -0800

On 02/06/2014 02:59 PM, Murray McAllister wrote:

Hello,


Jakub Wilk reported insecure temporary file use in f2py. From
<http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737778>:

""
numpy/f2py/__init__.py contains this code:

      from numpy.distutils.exec_command import exec_command
      import tempfile
      if source_fn is None:
          fname = os.path.join(tempfile.mktemp()+'.f')
      else:
          fname = source_fn

      f = open(fname,'w')
""

Can a CVE please be assigned if one hasn't been already?

References:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737778
https://bugzilla.redhat.com/show_bug.cgi?id=1062009

Thanks,

Thomas Spura noted in the Red Hat Bugzilla that a patch has been mergedupstream:


https://github.com/numpy/numpy/pull/4262


--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#737778: [oss-security] CVE request: f2py insecure temporary file use

Reply via email to