Control: tag -1 moreinfo
On Sun, May 28, 2017 at 08:51:27AM +0900, Kouhei Maeda wrote:
> +export PYBUILD_BEFORE_BUILD=cp -a $(CURDIR)/src/blockdiag.egg-info
> {build_dir};cp -f $(CURDIR)/debian/circle.* /tmp/
Apologies for not spotting it sooner, but there's a symlink vulnerability
here (imagine if /tmp/circle.* was a symlink to something important),
and I'm not sure that you should hardcode /tmp either ($TMPDIR?).
I'm a bit concerned there's more going on here than just the bug fixes.
What would the minimum required changes to fix #860689 and #847930 look
like?
--
Jonathan Wiltshire j...@debian.org
Debian Developer http://people.debian.org/~jmw
4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51
