Nikolaus Schulz wrote: > > Not being a python programmer, I missed the tempfile.tempdir setting, > > which, if it makes tempfile.mktemp use that temp dir, should make the > > program safe for all calls to mktemp from then on. Whether it's > > exploitable would thus depend on whether there are any calls to the > > other functions first. It seems like those calls all happen afterwards, > > I'm not 100% sure. > > I've examined this, and I think there is no security issue in > archivemail.py. > > There are four calls to tempfile.mktemp(): two in the constructor of > the ArchiveMbox class, one in the RetainMbox class constructor, and > finally, one in the archive() function. The latter is the code section > Noah has cited above, and since the umask is set to 077 before and > tempfile.tempdir is set, it should all be safe. Though I'd say it's > still reasonable to patch the code to use mkstemp() instead.
I think you're right. > > The test suite still seems raceable for sure, though that's lower > > exploitability. > > Agreed. Does this whole thing warrant a CVE? Dunno, One has, however, been assigned. -- see shy jo
signature.asc
Description: Digital signature
