Message231473
I hesitate about applying the patch to maintained releases. On one hand, besides interface (even non-documented details) left the same, the patch changes interiors too much for ordinal bug. I don't see how it can break something, but this doesn't guarantee that changes don't have unexpected effect.
On other hand, this bug can be considered as security-related issue. Malicious local attacker could replace ZIP file between its open and read from it or between two reads, if he has write access to the directory containing ZIP file or there are symplinks under his control in ZIP file path. The danger of this may exceed hypothetical negative consequences of the applying of the patch.
I appeal the matter to release managers. Should we apply this patch (the risk is pretty small) to 2.7 and 3.4? |
|
Date |
User |
Action |
Args |
2014-11-21 14:27:41 | serhiy.storchaka | set | recipients:
+ serhiy.storchaka, loewis, alanmcintyre, pitrou, ocean-city, larry, benjamin.peterson, mcepl, eric.araujo, Arfrever, r.david.murray, kasal, dw |
2014-11-21 14:27:41 | serhiy.storchaka | set | messageid: <1416580061.44.0.360478667808.issue14099@psf.upfronthosting.co.za> |
2014-11-21 14:27:41 | serhiy.storchaka | link | issue14099 messages |
2014-11-21 14:27:40 | serhiy.storchaka | create | |
|