Control: tag -1 moreinfo On Sun, May 28, 2017 at 08:51:27AM +0900, Kouhei Maeda wrote: > +export PYBUILD_BEFORE_BUILD=cp -a $(CURDIR)/src/blockdiag.egg-info > {build_dir};cp -f $(CURDIR)/debian/circle.* /tmp/
Apologies for not spotting it sooner, but there's a symlink vulnerability here (imagine if /tmp/circle.* was a symlink to something important), and I'm not sure that you should hardcode /tmp either ($TMPDIR?). I'm a bit concerned there's more going on here than just the bug fixes. What would the minimum required changes to fix #860689 and #847930 look like? -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51