Package: python-wxgtk3.0
Version: 3.0.1.1+dfsg-2
Tags: security
This is how wx.tools.img2py uses temporary files (with boring parts
snipped):
tfname = tempfile.mktemp()
try:
ok, msg = convert(image_file, maskClr, None, tfname, wx.BITMAP_TYPE_PNG,
".png")
# ...
finally:
# ...
This is insecure, because mktemp() returns just a filename, without
creating the file on disk. From the documentation: "Use of this function
may introduce a security hole in your program. By the time you get
around to doing anything with the file name it returns, someone else may
have beaten you to the punch."
Unfortunately, we have embedded copies of this code in the archive:
https://codesearch.debian.net/search?q=tempfile.mktemp+path%3Aimg2py.py
--
Jakub Wilk
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
