[Python-Dev] FWD: Python execvpe symlink race condition.

[Zack Weinberg]

Guido van Rossum <guido@python.org> writes:

> [Aahz, quoting an anonymous security report]
>> >> >> It is possible, to create a link of the file to be executed
>> >> >> (t) in the limited time window between the statements
>> >> >> os.path.exists(file) in tempfile.py and execv(t, ('blah',)) in
>> >> >> os.py are executed.
>
> [Zack]
>> >> That is exactly the signature of one of the tempfile bugs that I
>> >> fixed.  I do not know whether any official 2.2.x release has yet
>> >> occurred that includes the bugfix.
>
> [Aahz]
>> > That's what I suspected.  Did you check that into the 2.2.x maint
>> > branch?  (I remember that you did, but I'm triple-checking.)
>
> [Zack]
>> I don't have write privileges.  I thought that it was checked into the
>> 2.2.x maint branch but I don't actually know.
>
> Zack's changes to tempfile.py were *not* checked into Python 2.2 --
> they require API changes that are difficult to justify.  (The changes
> by Zack that you remember being checked into 2.2 were execve.)

The present report should have been addressed by the execve changes.

zw