[Distutils] Using Wheel with zipimport
Vinay Sajip
vinay_sajip at yahoo.co.uk
Wed Jan 29 15:42:00 CET 2014
--------------------------------------------
On Wed, 29/1/14, Donald Stufft <donald at stufft.io> wrote:
> Mitre’s rules for CVEs are not entirely obvious to people who are not
> familiar with them. Generally if the feature *can* be used securely or
> there was no evidence that the author intended that the code be secure
> they will not issue a CVE. The issue is that the feature makes a very
> attractive footgun for people using it to do the wrong thing and have it
> be a very bad idea.
So, was a CVE issued against setuptools? My understanding is that it wasn't -
have I misunderstood?
tool = setuptools
footgun = configurability of egg cache using PYTHON_EGG_CACHE
trigger = setuptools user sets PYTHON_EGG_CACHE to a world writeable directory
shot = malicious user replaces eggs in the cache with malicious code
BTW when no HOME directory is available, distlib uses tempfile.mkdtemp() which
IIUC provides a directory with permissions of 0700, which should be safe from
tampering. Do you see a security problem with this?
Regards,
Vinay Sajip
More information about the Distutils-SIG
mailing list