python-eyed3: CVE-2014-1934: insecure use of /tmp

Debian Bug report logs - #737062
python-eyed3: CVE-2014-1934: insecure use of /tmp

Toggle useless messages

Message #3 received at submit@bugs.debian.org (full text, mbox, reply):

From: Jakub Wilk <jwilk@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: python-eyed3: insecure use of /tmp

Date: Wed, 29 Jan 2014 21:33:16 +0100

Package: python-eyed3
Version: 0.6.18-1
Severity: important
Tags: security

eyeD3/tag.py contains this code (twice):

            # Open tmp file
            tmpName = tempfile.mktemp();
            tmpFile = file(tmpName, "w+b");

From the tempfile.mktemp() docstring: “This function is unsafe and 
should not be used. The file name refers to a file that did not exist at 
some point, but by the time you get around to creating it, someone else 
may have beaten you to the punch.”

-- 
Jakub Wilk

Message #10 received at 737062@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Jakub Wilk <jwilk@debian.org>, 737062@bugs.debian.org

Subject: Re: Bug#737062: python-eyed3: insecure use of /tmp

Date: Fri, 5 Dec 2014 08:29:05 +0100

Control: tags -1 + patch upstream fixed-upstream
Control: forwarded -1 https://bitbucket.org/nicfit/eyed3/issue/65/tagpy-in-eyed3-allows-local-users-to

Hi Alexander,

On Wed, Jan 29, 2014 at 09:33:16PM +0100, Jakub Wilk wrote:
> Package: python-eyed3
> Version: 0.6.18-1
> Severity: important
> Tags: security
> 
> eyeD3/tag.py contains this code (twice):
> 
>             # Open tmp file
>             tmpName = tempfile.mktemp();
>             tmpFile = file(tmpName, "w+b");
> 
> From the tempfile.mktemp() docstring: “This function is unsafe and should
> not be used. The file name refers to a file that did not exist at some
> point, but by the time you get around to creating it, someone else may have
> beaten you to the punch.”

Upstream report is at [1] with commit [2] fixing this issue.

 [1] https://bitbucket.org/nicfit/eyed3/issue/65/tagpy-in-eyed3-allows-local-users-to
 [2] https://bitbucket.org/nicfit/eyed3/commits/372bbacb7a70

Regards,
Salvatore

Message #19 received at 737062@bugs.debian.org (full text, mbox, reply):

From: Alexander Wirt <formorer@debian.org>

To: Salvatore Bonaccorso <carnil@debian.org>, 737062@bugs.debian.org

Cc: Jakub Wilk <jwilk@debian.org>

Subject: Re: Bug#737062: python-eyed3: insecure use of /tmp

Date: Fri, 5 Dec 2014 09:21:10 +0100

On Fri, 05 Dec 2014, Salvatore Bonaccorso wrote:

> Control: tags -1 + patch upstream fixed-upstream
> Control: forwarded -1 https://bitbucket.org/nicfit/eyed3/issue/65/tagpy-in-eyed3-allows-local-users-to
> 
> Hi Alexander,
> 
> On Wed, Jan 29, 2014 at 09:33:16PM +0100, Jakub Wilk wrote:
> > Package: python-eyed3
> > Version: 0.6.18-1
> > Severity: important
> > Tags: security
> > 
> > eyeD3/tag.py contains this code (twice):
> > 
> >             # Open tmp file
> >             tmpName = tempfile.mktemp();
> >             tmpFile = file(tmpName, "w+b");
> > 
> > From the tempfile.mktemp() docstring: “This function is unsafe and should
> > not be used. The file name refers to a file that did not exist at some
> > point, but by the time you get around to creating it, someone else may have
> > beaten you to the punch.”
> 
> Upstream report is at [1] with commit [2] fixing this issue.
> 
>  [1] https://bitbucket.org/nicfit/eyed3/issue/65/tagpy-in-eyed3-allows-local-users-to
>  [2] https://bitbucket.org/nicfit/eyed3/commits/372bbacb7a70
tbh, I don't do python anymore for some time now and I wasn't able to fix the
broken the build system coming with new versions. Therefore my plan was to
orphan that package and leave it to someone that knows python better than me.

Alex

Message #24 received at 737062@bugs.debian.org (full text, mbox, reply):

From: Petter Reinholdtsen <pere@hungry.com>

To: 737062@bugs.debian.org

Subject: Re: python-eyed3: CVE-2014-1934: insecure use of /tmp

Date: Sat, 10 Sep 2016 16:44:05 +0200

Control: tags -1 + patch

Here is the patch I backported from upstream to the older version in
Debian.  I just uploaed it in 0.6.18-3 as
debian/patches/CVE-2014-1934.patch.

Description: Avoid insecure use of file in /tmp/
 Based on upstream fix for CVE-2014-1934, 
 <URL: https://bitbucket.org/nicfit/eyed3/commits/372bbacb7a70 >,
 adjusted to cope with the older version of the code.
Author: Petter Reinholdtsen <pere@hungry.com>
Bug: https://bitbucket.org/nicfit/eyed3/issue/65/tagpy-in-eyed3-allows-local-users-to
Bug-Debian: https://bugs.debian.org/737062
Forwarded: not-needed
Reviewed-By: Petter Reinholdtsen <pere@hungry.com>
Last-Update: 2016-09-10

--- eyed3-0.6.18.orig/src/eyeD3/tag.py
+++ eyed3-0.6.18/src/eyeD3/tag.py
@@ -561,8 +561,7 @@ class Tag:
             tagFile.seek(tagSize);
 
             # Open tmp file
-            tmpName = tempfile.mktemp();
-            tmpFile = file(tmpName, "w+b");
+            tmpFile = tempfile.NamedTemporaryFile("wb", delete=False);
 
             # Write audio data in chunks
             self.__copyRemaining(tagFile, tmpFile);
@@ -572,8 +571,8 @@ class Tag:
             tmpFile.close();
 
             # Move tmp to orig.
-            shutil.copyfile(tmpName, self.linkedFile.name);
-            os.unlink(tmpName);
+            shutil.copyfile(tmpFile.name, self.linkedFile.name);
+            os.unlink(tmpFile.name);
 
             retval |= 1;
 
@@ -1309,8 +1308,7 @@ class Tag:
          tagFile.close();
       else:
          # Open tmp file
-         tmpName = tempfile.mktemp();
-         tmpFile = file(tmpName, "w+b");
+         tmpFile = tempfile.NamedTemporaryFile("wb", delete=False);
          TRACE_MSG("Writing %d bytes of tag data" % len(tagData));
          tmpFile.write(tagData);
 
@@ -1329,8 +1327,8 @@ class Tag:
          tmpFile.close();
 
          # Move tmp to orig.
-         shutil.copyfile(tmpName, self.linkedFile.name);
-         os.unlink(tmpName);
+         shutil.copyfile(tmpFile.name, self.linkedFile.name);
+         os.unlink(tmpFile.name);
 
       # Update our state.
       TRACE_MSG("Tag write complete.  Updating state.");

--
Happy hacking
Petter Reinholdtsen

Message #29 received at 737062-close@bugs.debian.org (full text, mbox, reply):

From: Petter Reinholdtsen <pere@debian.org>

To: 737062-close@bugs.debian.org

Subject: Bug#737062: fixed in eyed3 0.6.18-3

Date: Sat, 10 Sep 2016 16:21:04 +0000

Source: eyed3
Source-Version: 0.6.18-3

We believe that the bug you reported is fixed in the latest version of
eyed3, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 737062@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Petter Reinholdtsen <pere@debian.org> (supplier of updated eyed3 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 10 Sep 2016 14:26:05 +0000
Source: eyed3
Binary: python-eyed3 eyed3
Architecture: source
Version: 0.6.18-3
Distribution: unstable
Urgency: medium
Maintainer: Debian QA Group <packages@qa.debian.org>
Changed-By: Petter Reinholdtsen <pere@debian.org>
Description:
 eyed3      - Display and manipulate id3-tags on the command-line
 python-eyed3 - Python module for id3-tags manipulation
Closes: 737062 834983
Changes:
 eyed3 (0.6.18-3) unstable; urgency=medium
 .
   * QA upload.
   * Added CVE-2014-1934.patch to avoid insecure use of /tmp/ (Closes:
     #737062).
   * Added reproducible-build.patch from Chris Lamb to make build
     reproducible (Closes: #834983).
   * Updated to debhelper 9.
   * Updated Standards-Version from 3.9.2 to 3.9.8.
Checksums-Sha1:
 5bb97b615cc5b4853db27985cb33132ef1a11893 1762 eyed3_0.6.18-3.dsc
 8cee3fdfa02ab6996ad0d642a74d83b2f66ea55a 4452 eyed3_0.6.18-3.debian.tar.xz
Checksums-Sha256:
 43eb12af9909ac00dc47d0c4228b04c601df572238e765479f64ff237ddcac1a 1762 eyed3_0.6.18-3.dsc
 04bd1cd95b9bd2469ece78503d258c2276410f0d3712213740dd8a0fedd9674d 4452 eyed3_0.6.18-3.debian.tar.xz
Files:
 62b94babd615cc246d2df568833624c3 1762 python optional eyed3_0.6.18-3.dsc
 93c093f4808273fef8fb87a884603c64 4452 python optional eyed3_0.6.18-3.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIcBAEBCAAGBQJX1BqaAAoJEIEoCqCHuvsOMbgP/RVSLgJ8R/YqReYYdOP2zb3s
dISt2t39ghJ2Nc0iKY5d4olxT4p9L3oW8YaXVoMVHsscSea7peKBYcVTZa1/D4lb
Sj+03UOE5qNCZ/Tt5ngy+MaKxwGLZVeY4TaiVuH2PwWqAkLJ413vcIQodcoyvxYd
Bmiq7mC2CmhL6gJnRc9bJiPaLA+8MOjrB0MopvuBVlb9GHKxvlGdsAIeV/Zom+5E
4t7JuM72euGlUw8ixLeyGhf/N4zf14czuJACVLR/vR0VsR958PTrjoGwi8OS/mnK
eF+oFxNT+blv47LJoV3Yf65rNVqHa3MwtdsOZqx+2vHVl6vYb97j2G9HwQ2cPo5I
b/DHRCs7FwBaiG2/3498FpUalFZOEYe/mX/XFDLk4baIZpwJdFrGGAVikO+9gI4y
HZHUlPAMvHDuyQ70HMUMffBpRnVBjOU/4HPEOuaRbY/b6EgXrTMtstZb2ngNoUwi
xaFfvhYk7xjvuRfiYGKL62G/8Ydi2a/6gvVchyfnVq9zr2JFsx9yIxlkVoq14F4G
ZbDOxMZVtfqd7nqMCYmKzvlK2ycWcPltSxZTcAZ5k6qGAPrmiYami1TDYf8aBD5G
uDrk4xh5PTmnQ3v76+LX1e7+l15hwoFlQruHBCIb8fYv1YFyIErauqWGZ+2SuUB5
eMN2hyutQwP3glUUSvDm
=lFCz
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.