I've been sleeping on this one because it doesn't affect our package manager, but if you use pytest on a multi-user system or for CI in the cloud, then maybe it is of interest.
Bug report: https://github.com/pytest-dev/pytest/issues/13669 I requested a CVE last week from MITRE but haven't heard back yet. The details are unexciting so I'll keep it short. Summary ======= On UNIX, pytest uses a predictable naming scheme under /tmp with a UID check for added security. The UID check however will follow symlinks, and is vulnerable to TOCTOU. This leaves pytest vulnerable to several well-known vulnerabilities on multi-user systems. The risk ultimately depends on how pytest is used, but denial of service is trivial and code execution is possible. Mitigation ========== In the meantime, I would recommend creating your own temporary directory securely using, say $(mktemp -d), and then overriding the default using one of the standard environment variables (check the docs for python's tempfile.gettempdir) or PYTEST_DEBUG_TEMPROOT. On linux, it's a good idea to set the relevant sysctls: fs.protected_fifos = 2 fs.protected_regular = 2 fs.protected_symlinks = 1 fs.protected_hardlinks = 1
