On Fri, 05 Dec 2014, Salvatore Bonaccorso wrote: > Control: tags -1 + patch upstream fixed-upstream > Control: forwarded -1 > https://bitbucket.org/nicfit/eyed3/issue/65/tagpy-in-eyed3-allows-local-users-to > > Hi Alexander, > > On Wed, Jan 29, 2014 at 09:33:16PM +0100, Jakub Wilk wrote: > > Package: python-eyed3 > > Version: 0.6.18-1 > > Severity: important > > Tags: security > > > > eyeD3/tag.py contains this code (twice): > > > > # Open tmp file > > tmpName = tempfile.mktemp(); > > tmpFile = file(tmpName, "w+b"); > > > > From the tempfile.mktemp() docstring: “This function is unsafe and should > > not be used. The file name refers to a file that did not exist at some > > point, but by the time you get around to creating it, someone else may have > > beaten you to the punch.” > > Upstream report is at [1] with commit [2] fixing this issue. > > [1] > https://bitbucket.org/nicfit/eyed3/issue/65/tagpy-in-eyed3-allows-local-users-to > [2] https://bitbucket.org/nicfit/eyed3/commits/372bbacb7a70 tbh, I don't do python anymore for some time now and I wasn't able to fix the broken the build system coming with new versions. Therefore my plan was to orphan that package and leave it to someone that knows python better than me.
Alex -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]

