Skip to content

tmpdir: fix insecure temporary directory vulnerability (CVE-2025-71176)#14343

Merged
bluetech merged 1 commit intopytest-dev:mainfrom
bluetech:cve-2025-71176-simple
Apr 7, 2026
Merged

tmpdir: fix insecure temporary directory vulnerability (CVE-2025-71176)#14343
bluetech merged 1 commit intopytest-dev:mainfrom
bluetech:cve-2025-71176-simple

Conversation

@bluetech
Copy link
Copy Markdown
Member

@bluetech bluetech commented Mar 31, 2026

This is my proposed alternative to #13669 as discussed in the issue. I think we should go with the simple fix for now. I think this one should be safe to backport.

A previous fix for insecure temporary directory issue c49100c wasn't sufficient because it followed symlinks.

Stop following symlinks, and reject if a symlink; we know it shouldn't be.

Fix #14279.

[0] https://www.openwall.com/lists/oss-security/2026/01/21/5

@bluetech bluetech added the backport 9.0.x apply to PRs at any point; backports the changes to the 9.0.x branch label Mar 31, 2026
@bluetech
tmpdir: fix insecure temporary directory vulnerability (CVE-2025-71176)
7161cfe 
A previous fix for insecure temporary directory issue
c49100c wasn't sufficient because it
followed symlinks.

Stop following symlinks, and reject if a symlink; we know it shouldn't
be.

Fix pytest-dev#14279.

[0] https://www.openwall.com/lists/oss-security/2026/01/21/5
@bluetech bluetech force-pushed the cve-2025-71176-simple branch from 7479218 to 7161cfe Compare March 31, 2026 15:21
@psf-chronographer psf-chronographer bot added the bot:chronographer:provided (automation) changelog entry is part of PR label Mar 31, 2026
nicoddemus
nicoddemus approved these changes Mar 31, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@nicoddemus nicoddemus left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@Dyl-M Dyl-M mentioned this pull request Apr 6, 2026
Open
@bluetech bluetech merged commit 95d8423 into pytest-dev:main Apr 7, 2026
33 checks passed
@bluetech bluetech deleted the cve-2025-71176-simple branch April 7, 2026 14:43
@patchback
Copy link
Copy Markdown

patchback bot commented Apr 7, 2026
edited
Loading

Backport to 9.0.x: 💚 backport PR created

✅ Backport PR branch: patchback/backports/9.0.x/95d8423bd24992deea5b9df32555fa1741679e2c/pr-14343

Backported as #14363

🤖 @patchback
I'm built with octomachinery and
my source is open — https://github.com/sanitizers/patchback-github-app.

patchback bot pushed a commit that referenced this pull request Apr 7, 2026
@bluetech @patchback
Merge pull request #14343 from bluetech/cve-2025-71176-simple
ddee02a 
tmpdir: fix insecure temporary directory vulnerability (CVE-2025-71176)
(cherry picked from commit 95d8423)
@patchback patchback bot mentioned this pull request Apr 7, 2026
Merged
bluetech added a commit that referenced this pull request Apr 7, 2026
@bluetech
Merge pull request #14363 from pytest-dev/patchback/backports/9.0.x/9…
99a7e60 
…5d8423bd24992deea5b9df32555fa1741679e2c/pr-14343

[PR #14343/95d8423b backport][9.0.x] tmpdir: fix insecure temporary directory vulnerability (CVE-2025-71176)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nicoddemus nicoddemus nicoddemus approved these changes

Assignees

No one assigned

Labels

backport 9.0.x apply to PRs at any point; backports the changes to the 9.0.x branch bot:chronographer:provided (automation) changelog entry is part of PR

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@bluetech @nicoddemus