|
Message-ID: <514BFA1C.6040301@redhat.com> Date: Fri, 22 Mar 2013 00:28:44 -0600 From: Kurt Seifried <kseifried@...hat.com> To: oss-security@...ts.openwall.com CC: David Black <disclosure@....org> Subject: Re: CVE Request: python-pip insecure temporary directory handling -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 03/20/2013 08:13 AM, David Black wrote: > Prior to version 1.3 pip used '/tmp/pip-build' as a temporary > directory and as per the report in > https://github.com/pypa/pip/issues/725 would follow a symbolic > link placed at '/tmp/pip-build' when writing temporary files. > Is this the one actually fixed in https://github.com/pypa/pip/pull/780/files ? thanks. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) iQIcBAEBAgAGBQJRS/obAAoJEBYNRVNeJnmTZLoP/jKyjznzB0IIFJ9MP0fR8lh3 JtxidUWEPpTBBse74c/xEpI3K5k+atITJKryvLDJzCYzeRziNo8vX5MU1j/ok0tP wLrSnP9zVd0lRQBdr4C9Ym8m+/D+RLtRmJqhCV9ijXrTuNJblogyEJBC08JR6wuR mDGejMmw895KRh+23O5vW38GLR4nk6hyyPHwFVgNWSc+28yrSj/M472Mq9QmnpwV l7wcep5G91SoIMMQHV2iDUzBvOktIzdI0kxLfZFZjfyUS9mLJ8lfgCyHXjJ/05fk 08C3T3bLjjgkl/5F7wtrsnRFfBkzeML348D6H/+A7B6okdPGAsaBtMK1oAe7d/dl KrjQqmya4DY53BejghuCzo00NJUfTo1i8FbNPYZCHVj73FivBxjeDss7btVWpFYo 06lidSqEt5Huy/n6AYGOU8zm9FCebrtm7SfD1KMQnW+3ZOmMfAieztdfuxzNwOeT N4+9LYsx1TtVXUZknfMCJQKX1xIPtU7B420gQZMlbvQaPFuyVSx0l7JLlnSaYz45 PNrVZvqDfdpicacPMdS3HXCJUy6WEYElJetiiZjPrK6ccBeNa3NCuWQBkcMg5Pno kT7pMW0n0V5YlCNSHDg2/Itj+hanWp5iK96wqmm+JrKCxRxzOpx0lTp8NCiaHRzh ccwj9wn5r/djvEingyi0 =WU5i -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.