Source: tox Version: 1.6.0-1 Severity: grave Tags: security
This package runs tests with HOME set to /tmp. But HOME is supposed to be writable only by trusted users, whereas /tmp is world-writable.
Malicious local user could exploit this flaw to execute arbitrary code, by putting a crafted Python module into /tmp/.local/lib/python2.7/site-packages/.
-- Jakub Wilk -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
