Serhiy Storchaka added the comment:

I hesitate about applying the patch to maintained releases. On one hand, 
besides interface (even non-documented details) left the same, the patch 
changes interiors too much for ordinal bug. I don't see how it can break 
something, but this doesn't guarantee that changes don't have unexpected effect.

On other hand, this bug can be considered as security-related issue. Malicious 
local attacker could replace ZIP file between its open and read from it or 
between two reads, if he has write access to the directory containing ZIP file 
or there are symplinks under his control in ZIP file path. The danger of this 
may exceed hypothetical negative consequences of the applying of the patch.

I appeal the matter to release managers. Should we apply this patch (the risk 
is pretty small) to 2.7 and 3.4?

nosy: +benjamin.peterson, larry

Python tracker <>
Python-bugs-list mailing list

Reply via email to