oss-sec mailing list archives
Re: CVE request: f2py insecure temporary file use
From: Murray McAllister <mmcallis () redhat com>
Date: Fri, 07 Feb 2014 09:47:05 +1100
On 02/06/2014 02:59 PM, Murray McAllister wrote:
Hello, Jakub Wilk reported insecure temporary file use in f2py. From <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737778>: "" numpy/f2py/__init__.py contains this code: from numpy.distutils.exec_command import exec_command import tempfile if source_fn is None: fname = os.path.join(tempfile.mktemp()+'.f') else: fname = source_fn f = open(fname,'w') "" Can a CVE please be assigned if one hasn't been already? References: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737778 https://bugzilla.redhat.com/show_bug.cgi?id=1062009 Thanks,
Thomas Spura noted in the Red Hat Bugzilla that a patch has been merged upstream:
https://github.com/numpy/numpy/pull/4262
Current thread:
- CVE request: f2py insecure temporary file use Murray McAllister (Feb 05)
- Re: CVE request: f2py insecure temporary file use Murray McAllister (Feb 06)
- Re: CVE request: f2py insecure temporary file use cve-assign (Feb 07)