Bug#915803: marked as done (pytest: insecure use of /tmp)

Tue, 07 Sep 2021 19:18:18 -0700 

Your message dated Tue, 7 Sep 2021 22:14:38 -0400
with message-id 
<cab4xwxwr3mzbqm2_qummnah2jhfovxwsrixsnftra04ueuk...@mail.gmail.com>
and subject line Re: pytest: insecure use of /tmp
has caused the Debian Bug report #915803,
regarding pytest: insecure use of /tmp
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
915803: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=915803
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Source: pytest
Version: 3.10.1-1
Tags: security
The "tmpdir" fixture[*] uses /tmp/pytest-of-$USER/ as a temporary directory, even when this directory already exist and is owned by another (potentially malicious) user: 

  $ ls -ld /tmp/pytest-of-jwilk/
  drwxrwxrwx 2 mallory mallory 40 Dec  6 22:29 /tmp/pytest-of-jwilk/

  $ echo 'def test_foo(tmpdir): pass' > test.py

  $ python3 -m pytest -q test.py
  .                                                                        
[100%]
  1 passed in 0.05 seconds

  $ ls -alr /tmp/pytest-of-jwilk
  total 0
  lrwxrwxrwx  1 jwilk   jwilk    29 Dec  6 22:30 pytest-current -> 
/tmp/pytest-of-jwilk/pytest-0
  drwx------  3 jwilk   jwilk    80 Dec  6 22:30 pytest-0
  drwxrwxrwt 11 root    root    340 Dec  6 22:30 ..
  drwxrwxrwx  3 mallory mallory  80 Dec  6 22:30 .


[*] https://docs.pytest.org/en/3.10.1/tmpdir.html#the-tmpdir-fixture

--
Jakub Wilk

--- End Message ---
--- Begin Message --- 
Version: 6.2.5-1

On Thu, 6 Dec 2018 22:48:58 +0100 Jakub Wilk <[email protected]> wrote:
> Source: pytest
> Version: 3.10.1-1
> Tags: security
>
> The "tmpdir" fixture[*] uses /tmp/pytest-of-$USER/ as a temporary
> directory, even when this directory already exist and is owned by
> another (potentially malicious) user:
>
>    $ ls -ld /tmp/pytest-of-jwilk/
>    drwxrwxrwx 2 mallory mallory 40 Dec  6 22:29 /tmp/pytest-of-jwilk/
>
>    $ echo 'def test_foo(tmpdir): pass' > test.py
>
>    $ python3 -m pytest -q test.py
>    .                                                                        
> [100%]
>    1 passed in 0.05 seconds
>
>    $ ls -alr /tmp/pytest-of-jwilk
>    total 0
>    lrwxrwxrwx  1 jwilk   jwilk    29 Dec  6 22:30 pytest-current -> 
> /tmp/pytest-of-jwilk/pytest-0
>    drwx------  3 jwilk   jwilk    80 Dec  6 22:30 pytest-0
>    drwxrwxrwt 11 root    root    340 Dec  6 22:30 ..
>    drwxrwxrwx  3 mallory mallory  80 Dec  6 22:30 .
>
>
> [*] https://docs.pytest.org/en/3.10.1/tmpdir.html#the-tmpdir-fixture

According to the changelog at
https://docs.pytest.org/en/6.2.x/changelog.html#pytest-6-2-3-2021-04-03
this condition has been fixed in 6.2.3, so it's included in the latest
version pytest just uploaded

--- End Message ---

Reply via email to