[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] CVE request: temp file issues in python's logilab-common module
From: "Vincent Danen" <vdanen () redhat ! com>
Date: 2014-01-31 18:28:42
Message-ID: DF86991A-119D-4768-8829-506BB30FC9A7 () redhat ! com
[Download RAW message or body]
Some temporary file issues were reported by Jakub Wilk (quoting from our bug report):
In logilab/common/pdf_ext.py it uses fully predictable names:
def extract_keys_from_pdf(filename):
# what about using 'pdftk filename dump_data_fields' and parsing the output ?
os.system('pdftk %s generate_fdf output /tmp/toto.fdf' % filename)
lines = file('/tmp/toto.fdf').readlines()
return extract_keys(lines)
def fill_pdf(infile, outfile, fields):
write_fields(file('/tmp/toto.fdf', 'w'), fields)
os.system('pdftk %s fill_form /tmp/toto.fdf output %s flatten' % (infile, outfile))
And in logilab/common/shellutils.py:
class Execute:
"""This is a deadlock safe version of popen2 (no stdin), that returns
an object with errorlevel, out and err.
"""
def __init__(self, command):
outfile = tempfile.mktemp()
errfile = tempfile.mktemp()
self.status = os.system("( %s ) >%s 2>%s" %
(command, outfile, errfile)) >> 8
self.out = open(outfile, "r").read()
self.err = open(errfile, "r").read()
os.remove(outfile)
os.remove(errfile)
tempfile.mktemp() should be replaced with tempfile.mkstemp() as it is documented as insecure.
I don't believe a CVE has been requested for this already. Can one be assigned please?
References:
https://bugzilla.redhat.com/show_bug.cgi?id=1060304
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737051
https://bugs.gentoo.org/show_bug.cgi?id=499872
http://secunia.com/advisories/56720/
--
Vincent Danen / Red Hat Security Response Team
["signature.asc" (signature.asc)]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - http://gpgtools.org
iQGcBAEBAgAGBQJS6+taAAoJEJS+gzzouGyrl5EL/imadwCmVk9MHUeQbe9sv9uV
UMNVNeBrlJjF+sJ+38X1rC2ZQmjxVNfD2v6PjigeqvoM6w87dmuXBhcvDJ06ENXI
NQxuuI4yxHqXjxW/Q9GhL7zJr7AWdGktilgojFkA6jRUMRbF8TRv/cMDbuDIen76
d3pvZd5DBtrJl2Gc/b6gbxsMO1LsOZA+eOflvhDKqCj9derDTr+4mxzdfhb+cIIJ
L8uCtezgwEoKwlbi77tIpUH3R4zStgjaZIYCczsvnVqssDaf9S9J4Cf59y8e+19Q
uDefLn4D028/ErJ2Kuv5+UU+nFu+eWL1uk2AeJI82Ee1+rBOHtdNAOmIKgUU1Qxz
QwETHDGpvkDqkC4dQ2vdSEIn26tRAvm6EVodpvoIv1fepHrYhIRTK4TzOMzguJUd
0Ju5Vjlc2VbJBIK6gxGRQk4ZEMIeXhki2atYgDfCAU4gTniiMVJQzfDNBS03eI5j
itE6qdTpXdig3NThJQ4C78J4AQFLJFfemtoUFtz26w==
=qhPM
-----END PGP SIGNATURE-----
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic