| Summary: | dev-python/pip : insecure usage of temporary files | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED DUPLICATE | ||
| Severity: | normal | CC: | python |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Package list: | Runtime testing required: | --- | |
err...this is a dupe of 462616 *** This bug has been marked as a duplicate of bug 462616 *** |
From ${URL} : Prior to version 1.3 pip used '/tmp/pip-build' as a temporary directory and as per the report in https://github.com/pypa/pip/issues/725 would follow a symbolic link placed at '/tmp/pip-build' when writing temporary files. Is this the one actually fixed in https://github.com/pypa/pip/pull/780/files @maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.