Package: python-wxgtk3.0
Version: 3.0.1.1+dfsg-2
Tags: security
This is how wx.build.config uses temporary files:
xmltemp = tempfile.mktemp('.xml')
# First run swig to produce the XML file, adding
# an extra -D that prevents the old rename
# directives from being used
cmd = [ swig_cmd ] + swig_args + \
[ '-DBUILDING_RENAMERS', '-xmlout', xmltemp ] + \
['-I'+dir, '-o', cpp_file, i_file]
msg(' '.join(cmd))
spawn(cmd)
This is insecure, because mktemp() returns just a filename, without
creating the file on disk. From the documentation: "Use of this function
may introduce a security hole in your program. By the time you get
around to doing anything with the file name it returns, someone else may
have beaten you to the punch."
--
Jakub Wilk
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
