Control: tags -1 + patch upstream fixed-upstream Control: forwarded -1 https://bitbucket.org/nicfit/eyed3/issue/65/tagpy-in-eyed3-allows-local-users-to
Hi Alexander, On Wed, Jan 29, 2014 at 09:33:16PM +0100, Jakub Wilk wrote: > Package: python-eyed3 > Version: 0.6.18-1 > Severity: important > Tags: security > > eyeD3/tag.py contains this code (twice): > > # Open tmp file > tmpName = tempfile.mktemp(); > tmpFile = file(tmpName, "w+b"); > > From the tempfile.mktemp() docstring: “This function is unsafe and should > not be used. The file name refers to a file that did not exist at some > point, but by the time you get around to creating it, someone else may have > beaten you to the punch.” Upstream report is at [1] with commit [2] fixing this issue. [1] https://bitbucket.org/nicfit/eyed3/issue/65/tagpy-in-eyed3-allows-local-users-to [2] https://bitbucket.org/nicfit/eyed3/commits/372bbacb7a70 Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
