IMHO It's highly unrealistic that this actually gets exploited, as it requires a scenario where someone directly puts a module into /tmp/, not a subdir. Aside from dbusmock's own tests this is very unlikely as usually projects ship their own mocks in their source tree, and don't generate it on the fly. And then it can only happen when there are multiple and untrusted users on a machine (which isn't the case in CI systems either).
So, this does need to get fixed, but my gut feeling is that the severity is on the "low" side and doesn't warrant private
vendor-sec coordination with a coordinated release date. But I'll let our security team decide.
As discussed by mail already, this is the patch which I'll apply upstream. This includes a test case, too.
IMHO It's highly unrealistic that this actually gets exploited, as it requires a scenario where someone directly puts a module into /tmp/, not a subdir. Aside from dbusmock's own tests this is very unlikely as usually projects ship their own mocks in their source tree, and don't generate it on the fly. And then it can only happen when there are multiple and untrusted users on a machine (which isn't the case in CI systems either).
So, this does need to get fixed, but my gut feeling is that the severity is on the "low" side and doesn't warrant private
vendor-sec coordination with a coordinated release date. But I'll let our security team decide.
As discussed by mail already, this is the patch which I'll apply upstream. This includes a test case, too.