[Distutils] Using Wheel with zipimport

Vinay Sajip vinay_sajip at yahoo.co.uk
Wed Jan 29 15:42:00 CET 2014

On Wed, 29/1/14, Donald Stufft <donald at stufft.io> wrote:

 > Mitre’s rules for CVEs are not entirely obvious to people who are not
> familiar with them. Generally if the feature *can* be used securely or
> there was no evidence that the author intended that the code be secure
> they will not issue a CVE. The issue is that the feature makes a very
> attractive footgun for people using it to do the wrong thing and have it
> be a very bad idea.
So, was a CVE issued against setuptools? My understanding is that it wasn't -
have I misunderstood?

tool = setuptools
footgun = configurability of egg cache using PYTHON_EGG_CACHE
trigger = setuptools user sets PYTHON_EGG_CACHE to a world writeable directory
shot = malicious user replaces eggs in the cache with malicious code

BTW when no HOME directory is available, distlib uses tempfile.mkdtemp() which
IIUC provides a directory with permissions of 0700, which should be safe from
tampering. Do you see a security problem with this?


Vinay Sajip

More information about the Distutils-SIG mailing list