Your message dated Thu, 4 Sep 2014 20:03:22 -0400
with message-id <20140904200322.0c089...@anarchist.wooz.org>
and subject line
has caused the Debian Bug report #751804,
regarding tox: runs tests with HOME=/tmp
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
751804: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=751804
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: tox
Version: 1.6.0-1
Severity: grave
Tags: security
This package runs tests with HOME set to /tmp. But HOME is supposed to
be writable only by trusted users, whereas /tmp is world-writable.
Malicious local user could exploit this flaw to execute arbitrary code,
by putting a crafted Python module into
/tmp/.local/lib/python2.7/site-packages/.
--
Jakub Wilk
--- End Message ---
--- Begin Message ---
Version: 1.7.1-1
I don't believe this bug affects tox after 1.7.1 (I didn't go back farther
than that). Neither d/rules nor d/tests/built set $HOME any more, since
upstream fixed the issue causing this.
signature.asc
Description: PGP signature
--- End Message ---
