-------------------------------------------- On Wed, 29/1/14, Donald Stufft <don...@stufft.io> wrote:
> Mitre’s rules for CVEs are not entirely obvious to people who are not > familiar with them. Generally if the feature *can* be used securely or > there was no evidence that the author intended that the code be secure > they will not issue a CVE. The issue is that the feature makes a very > attractive footgun for people using it to do the wrong thing and have it > be a very bad idea. So, was a CVE issued against setuptools? My understanding is that it wasn't - have I misunderstood? tool = setuptools footgun = configurability of egg cache using PYTHON_EGG_CACHE trigger = setuptools user sets PYTHON_EGG_CACHE to a world writeable directory shot = malicious user replaces eggs in the cache with malicious code BTW when no HOME directory is available, distlib uses tempfile.mkdtemp() which IIUC provides a directory with permissions of 0700, which should be safe from tampering. Do you see a security problem with this? Regards, Vinay Sajip _______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org https://mail.python.org/mailman/listinfo/distutils-sig