Vincent Danen | 31 Jan 19:28 2014
Picon

CVE request: temp file issues in python's logilab-common module

Some temporary file issues were reported by Jakub Wilk (quoting from our bug report):

In logilab/common/pdf_ext.py it uses fully predictable names:

def extract_keys_from_pdf(filename):
    # what about using 'pdftk filename dump_data_fields' and parsing the output ?
    os.system('pdftk %s generate_fdf output /tmp/toto.fdf' % filename)
    lines = file('/tmp/toto.fdf').readlines()
    return extract_keys(lines)

def fill_pdf(infile, outfile, fields):
    write_fields(file('/tmp/toto.fdf', 'w'), fields)
    os.system('pdftk %s fill_form /tmp/toto.fdf output %s flatten' % (infile, outfile))

And in logilab/common/shellutils.py:

class Execute:
    """This is a deadlock safe version of popen2 (no stdin), that returns
    an object with errorlevel, out and err.
    """

    def __init__(self, command):
        outfile = tempfile.mktemp()
        errfile = tempfile.mktemp()
        self.status = os.system("( %s ) >%s 2>%s" %
                                (command, outfile, errfile)) >> 8
        self.out = open(outfile, "r").read()
        self.err = open(errfile, "r").read()
        os.remove(outfile)
        os.remove(errfile)
(Continue reading)

cve | 3 Feb 04:50 2014
Picon

Re: CVE request: temp file issues in python's logilab-common module


> In logilab/common/pdf_ext.py it uses fully predictable names:
> lines = file('/tmp/toto.fdf').readlines()
> write_fields(file('/tmp/toto.fdf', 'w'), fields)

Use CVE-2014-1838.

> And in logilab/common/shellutils.py:
>         outfile = tempfile.mktemp()
>         errfile = tempfile.mktemp()
> tempfile.mktemp() should be replaced with tempfile.mkstemp() as it is documented as insecure.

> http://docs.python.org/2/library/tempfile.html

Use CVE-2014-1839.

--

-- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]

Gmane