Bug#385253: uses temporary files unsafely; race

2006-09-10 Thread Joey Hess
Nikolaus Schulz wrote: > > Not being a python programmer, I missed the tempfile.tempdir setting, > > which, if it makes tempfile.mktemp use that temp dir, should make the > > program safe for all calls to mktemp from then on. Whether it's > > exploitable would thus depend on whether there are any c

Bug#385253: uses temporary files unsafely; race

2006-09-10 Thread Nikolaus Schulz
Joey Hess wrote: > Noah Meyerhans wrote: > > Upon investigating this for stable, I wonder if the problem is as bad as > > reported. It seems that archivemail sets up its own temp directory and > > creates its files in it: > > > > # create a temporary directory for us to work in securely > >

Bug#385253: uses temporary files unsafely; race

2006-08-30 Thread Joey Hess
Noah Meyerhans wrote: > On Wed, Aug 30, 2006 at 12:10:29AM -0400, Joey Hess wrote: > > Package: archivemail > > Version: 0.6.2-1 > > Severity: grave > > Tags: security > > This is CVE-2006-4245. Please mention that in a future changelog entry > for unstable. (I see that you already uploaded 0.6.

Bug#385253: uses temporary files unsafely; race

2006-08-30 Thread Joey Hess
Noah Meyerhans wrote: > Upon investigating this for stable, I wonder if the problem is as bad as > reported. It seems that archivemail sets up its own temp directory and > creates its files in it: > > # create a temporary directory for us to work in securely > old_temp_dir = tempfile.temp

Bug#385253: uses temporary files unsafely; race

2006-08-30 Thread Noah Meyerhans
Upon investigating this for stable, I wonder if the problem is as bad as reported. It seems that archivemail sets up its own temp directory and creates its files in it: # create a temporary directory for us to work in securely old_temp_dir = tempfile.tempdir tempfile.tempdir = None

Bug#385253: uses temporary files unsafely; race

2006-08-30 Thread Noah Meyerhans
On Wed, Aug 30, 2006 at 12:10:29AM -0400, Joey Hess wrote: > Package: archivemail > Version: 0.6.2-1 > Severity: grave > Tags: security This is CVE-2006-4245. Please mention that in a future changelog entry for unstable. (I see that you already uploaded 0.6.2-2 to fix this in unstable.) noah

Bug#385253: uses temporary files unsafely; race

2006-08-29 Thread Joey Hess
Package: archivemail Version: 0.6.2-1 Severity: grave Tags: security tempfile.mktemp in python has this comment: User-callable function to return a unique temporary file name. The file is not created. Arguments are as for mkstemp, except that the 'text' argument is not accepted.