[Python-Dev] FWD: Python execvpe symlink race condition.
Guido van Rossum
guido@python.org
Sun, 16 Feb 2003 14:31:12 -0500
> If the exec problems were fixed in 2.2, doesn't that address the
> currently reported vulnerability?
Correct.
> I glanced at the Debian bug report and saw that it was reporting an
> exploit against 2.1.3. I see some value in doing a 2.1.4 release,
> but not enough value to justify the work.
Same here.
> Aren't the changes in tempfile primarily the addition of new functions
> (mkstemp, mkdtemp)? I think it would be good to backport new functions
> that address security issues. Were there changes to the behavior of
> mktemp(), too? It seems hard to justify an incompatible change to
> existing functions.
I think mktemp()'s API is unchanged if you don't count the warning
(which I disabled anyway). However the name template used for
temporary files is very different -- could this affect applications?
--Guido van Rossum (home page: http://www.python.org/~guido/)