'[oss-security] CVE request: temp file issues in python's logilab-common module'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] CVE request: temp file issues in python's logilab-common module
From:       "Vincent Danen" <vdanen () redhat ! com>
Date:       2014-01-31 18:28:42
Message-ID: DF86991A-119D-4768-8829-506BB30FC9A7 () redhat ! com
[Download RAW message or body]

Some temporary file issues were reported by Jakub Wilk (quoting from our bug report):

In logilab/common/pdf_ext.py it uses fully predictable names:

def extract_keys_from_pdf(filename):
    # what about using 'pdftk filename dump_data_fields' and parsing the output ?
    os.system('pdftk %s generate_fdf output /tmp/toto.fdf' % filename)
    lines = file('/tmp/toto.fdf').readlines()
    return extract_keys(lines)


def fill_pdf(infile, outfile, fields):
    write_fields(file('/tmp/toto.fdf', 'w'), fields)
    os.system('pdftk %s fill_form /tmp/toto.fdf output %s flatten' % (infile, outfile))


And in logilab/common/shellutils.py:

class Execute:
    """This is a deadlock safe version of popen2 (no stdin), that returns
    an object with errorlevel, out and err.
    """

    def __init__(self, command):
        outfile = tempfile.mktemp()
        errfile = tempfile.mktemp()
        self.status = os.system("( %s ) >%s 2>%s" %
                                (command, outfile, errfile)) >> 8
        self.out = open(outfile, "r").read()
        self.err = open(errfile, "r").read()
        os.remove(outfile)
        os.remove(errfile)


tempfile.mktemp() should be replaced with tempfile.mkstemp() as it is documented as insecure.


I don't believe a CVE has been requested for this already.  Can one be assigned please?


References:
https://bugzilla.redhat.com/show_bug.cgi?id=1060304
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737051
https://bugs.gentoo.org/show_bug.cgi?id=499872
http://secunia.com/advisories/56720/

-- 
Vincent Danen / Red Hat Security Response Team
["signature.asc" (signature.asc)]

-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - http://gpgtools.org

iQGcBAEBAgAGBQJS6+taAAoJEJS+gzzouGyrl5EL/imadwCmVk9MHUeQbe9sv9uV
UMNVNeBrlJjF+sJ+38X1rC2ZQmjxVNfD2v6PjigeqvoM6w87dmuXBhcvDJ06ENXI
NQxuuI4yxHqXjxW/Q9GhL7zJr7AWdGktilgojFkA6jRUMRbF8TRv/cMDbuDIen76
d3pvZd5DBtrJl2Gc/b6gbxsMO1LsOZA+eOflvhDKqCj9derDTr+4mxzdfhb+cIIJ
L8uCtezgwEoKwlbi77tIpUH3R4zStgjaZIYCczsvnVqssDaf9S9J4Cf59y8e+19Q
uDefLn4D028/ErJ2Kuv5+UU+nFu+eWL1uk2AeJI82Ee1+rBOHtdNAOmIKgUU1Qxz
QwETHDGpvkDqkC4dQ2vdSEIn26tRAvm6EVodpvoIv1fepHrYhIRTK4TzOMzguJUd
0Ju5Vjlc2VbJBIK6gxGRQk4ZEMIeXhki2atYgDfCAU4gTniiMVJQzfDNBS03eI5j
itE6qdTpXdig3NThJQ4C78J4AQFLJFfemtoUFtz26w==
=qhPM
-----END PGP SIGNATURE-----


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic