[Python-modules-team] Bug#725847: Requesting a CVE for pip - Local DoS with predictable temp directory names

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 > because the build directory is predictable a local DoS is possible > simply by creating a /tmp/pip-build-/ directory owned by > someone other than the defined user > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=725847 > https://github.com/pyp

[Python-modules-team] Bug#737778: CVE request: f2py insecure temporary file use

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 > Jakub Wilk reported insecure temporary file use in f2py. > > numpy/f2py/__init__.py contains this code: > > fname = os.path.join(tempfile.mktemp()+'.f') > > f = open(fname,'w') > > Can a CVE please be assigned if one hasn't been a

[Python-modules-team] Bug#736247: Fwd: Bug#736247: python-xdg: get_runtime_dir(strict=False): insecure use of /tmp

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 > as reported by Jakub Wilk in http://bugs.debian.org/736247, there is a > TOCTOU failure in python's xdg module > > 1) Create symlink /tmp/pyxdg-runtime-dir-fallback-victim, pointing to a > directory owned by the victim Use CVE-2014-1624. - -- CV