python-gamera: CVE-2014-1937: insecure use of /tmp

Debian Bug report logs - #737324
python-gamera: CVE-2014-1937: insecure use of /tmp

Toggle useless messages

Message #3 received at submit@bugs.debian.org (full text, mbox, reply):

From: Jakub Wilk <jwilk@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: python-gamera: insecure use of /tmp

Date: Sat, 1 Feb 2014 18:45:15 +0100

Package: python-gamera
Version: 3.3.3-2
Severity: important
Tags: security

gamera/io.py contains this code:


      ## STRIP OUT % AND # LINES
      tmpname = tempfile.mktemp()
      if sys.platform == 'win32':
          # NT VERSION OF GREP DOESN'T DO THE STRIPPING ... SIGH
          cmd = "grep.exe -v \'%\' "+fname+" > "+tmpname
          print cmd
          os.system(cmd)
      else:
          # UNIX SIDE SHOULD WORK
          cmd = "cat "+fname+" | grep -v \'%\' |grep -v \'#\' > "+tmpname
          print cmd
          os.system(cmd)


From the tempfile.mktemp() docstring: “This function is unsafe and 
should not be used. The file name refers to a file that did not exist at 
some point, but by the time you get around to creating it, someone else 
may have beaten you to the punch.”

-- 
Jakub Wilk

Message #12 received at 737324-close@bugs.debian.org (full text, mbox, reply):

From: Daniel Stender <debian@danielstender.com>

To: 737324-close@bugs.debian.org

Subject: Bug#737324: fixed in gamera 3.4.1-1

Date: Thu, 31 Jul 2014 21:35:24 +0000

Source: gamera
Source-Version: 3.4.1-1

We believe that the bug you reported is fixed in the latest version of
gamera, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 737324@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Daniel Stender <debian@danielstender.com> (supplier of updated gamera package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 25 Jul 2014 20:59:16 +0200
Source: gamera
Binary: python-gamera python-gamera-dbg python-gamera-dev gamera-gui gamera-doc
Architecture: source amd64 all
Version: 3.4.1-1
Distribution: unstable
Urgency: medium
Maintainer: Daniel Stender <debian@danielstender.com>
Changed-By: Daniel Stender <debian@danielstender.com>
Description:
 gamera-doc - documentation for the Gamera framework
 gamera-gui - GUI for the Gamera framework
 python-gamera - framework for building document analysis applications
 python-gamera-dbg - framework for document analysis applications (debug symbols)
 python-gamera-dev - framework for document analysis applications (header files)
Closes: 629177 692661 736004 737324 747548
Changes:
 gamera (3.4.1-1) unstable; urgency=medium
 .
   [ Daniel Stender ]
   * New upstream release (3.4.1, Closes: #747548).
   * Removed setup-no-import.diff (setup.py now provides --nowx switch,
     added that to deb/rules.)
   * Added avoid_mktemp.diff to fix CVE-2014-1937 (Closes: #737324).
   * Refreshed fix-typos.diff.
   * deb/control:
     + Changed maintainer (Closes: #629177).
     + Changed b-d from libtiff4-dev to libtiff-dev (Closes: #736004).
     + Removed unnecessary build-dep versions.
     + Dropped b-d on python_support.
     + Changed XS-Python-Version to X-Python-Version.
     + Bump standards version to 3.9.5 (no changes needed).
     + Relocated Vcs-* fields.
     + Shortened some short description lines.
   * Updated deb/copyright, sorted holders, padded, removed trailing commas.
   * deb/rules:
     + Added export lines for DH_VERBOSE and DEB_BUILD_OPTIONS.
     + Replaced dh_pysupport with dh_python2.
     + Removal of Sourceforge logo to prevent privacy-breach-logo.
   * Added absolute path to icon in gamera-gui.menu.
   * Added Keywords to deb/gamera-gui.desktop.
   * Added override for inconsistent-testsuite-field (Closes: #692661 wontfix).
   * Wrapped-and-sorted.
 .
   [ Jakub Wilk ]
   * New upstream release (3.4.0):
     + Drop pil-import.diff; applied upstream.
     + Drop use-system-galib.diff; no longer needed.
     + Refresh other patches.
     + Drop libga-dev from Build-Depends; no longer needed.
     + Bump minimum required Python version to 2.5.
     + Add gamera/__compiletime_config__.py to debian/clean.
     + Update debian/copyright.
   * Add patch to fix spelling mistakes (fix-typos.diff).
   * Rewrite debian/rules without using dh.
     + Reduce minimum required debhelper version to 7.
   * Install *.egg-info into the binary package.
   * Override HOME, so that ~/.matplotlib/ directory is not left behind.
   * Set PYTHONHASHSEED=random in debian/rules.
   * Use canonical URIs for Vcs-* fields.
Checksums-Sha1:
 fa730dc32edb46fd5525186afa4db33eaf2809ab 2453 gamera_3.4.1-1.dsc
 af348fd3ba41b7539cf8fe10b5a4239a189a4139 5281314 gamera_3.4.1.orig.tar.gz
 eeac35c866300ad8376a2a8be2e9148a38689223 30520 gamera_3.4.1-1.debian.tar.xz
 ea77fd52cd730abd1d80ee5c213f6d9fc41b66b7 2314560 python-gamera_3.4.1-1_amd64.deb
 efe6f0bdbc98e557bc06755a535cee332e49d585 26766644 python-gamera-dbg_3.4.1-1_amd64.deb
 8e15b27a1fd488ebb2bd58de153d08a10d6119b4 156858 python-gamera-dev_3.4.1-1_all.deb
 e62f2aa87116df2f1efbfcf170dad44a921cf31d 371668 gamera-gui_3.4.1-1_all.deb
 569fcefed7c7f032a6af56d9f90bb7a867039d6c 2843626 gamera-doc_3.4.1-1_all.deb
Checksums-Sha256:
 2c3bba865a9e1491426efabe4faf332e7202785d9956dd69b75b5c6d82eec8a4 2453 gamera_3.4.1-1.dsc
 c48ae58d9843f3dbdd352047e86314f6d1cf76ae150aa663bee2bc86c967d7d4 5281314 gamera_3.4.1.orig.tar.gz
 bd270df66e21c10dbea304a7b2b8f574333a7d94ad27158e618569fb1bc4273a 30520 gamera_3.4.1-1.debian.tar.xz
 a9fb168f6164101d6ab213bba7818c924545a88c4e787726da27dfecf2e189ef 2314560 python-gamera_3.4.1-1_amd64.deb
 52c5d1645c52f750cbdf6c4188f5a40b36eab1eadfba5f9b1a91d48fa1b766b5 26766644 python-gamera-dbg_3.4.1-1_amd64.deb
 1ad5d1614c7aa2fee883e5190899dea3f9171e963b24ee6dd58d1be497b6cd11 156858 python-gamera-dev_3.4.1-1_all.deb
 5f37b8242b447d23321f9ee1a920d045f9720f87a7810673bab986f6d6ff642c 371668 gamera-gui_3.4.1-1_all.deb
 db4be388844ef05739b4cad867d9b6ebbdb9de488baa3d44835050d7238fbb84 2843626 gamera-doc_3.4.1-1_all.deb
Files:
 140af987d8ae36045112178ee25d675e 2314560 python optional python-gamera_3.4.1-1_amd64.deb
 26b515b17050da39fbc8afdf0c7b689f 26766644 debug extra python-gamera-dbg_3.4.1-1_amd64.deb
 79a29f1e5b1077cc2eb52c23efa8681e 156858 python optional python-gamera-dev_3.4.1-1_all.deb
 182f99ea53d6b87a78a874f6a352e005 371668 python optional gamera-gui_3.4.1-1_all.deb
 c051d3f33b6076784083c63d0a540623 2843626 doc optional gamera-doc_3.4.1-1_all.deb
 303830fc4522bdc57c167518c4cc5f02 2453 python optional gamera_3.4.1-1.dsc
 f8eb60cbd09a8a557befc1572372ccfb 5281314 python optional gamera_3.4.1.orig.tar.gz
 a87b6944b8d37e973d7076784102bbec 30520 python optional gamera_3.4.1-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJT2qcJAAoJEK728aKnRXZFsiMQAMdjQVC7Bece+s3UBoXrapsN
R36UFKbITUOlfQBWjXBU7BxoWF4wqAHYDVMoX3T0gowE8WF/VWfbfsHBt4zJb0uV
+GXF2SuDuJ8OcMEz3fDjccmkyJgeqROGadKYYVcJUTmj2DboiUEbiSF69eBmG0zW
cHTorwym4fD5LubyV9bnvTq1dLqw3X56K0pUSjZBPZoGoiCnMyxbu0VoPAg7y84J
VFyqbeYYcvKtZLok+YHRsGmzqhAM2/XXOA0EXrDOOC+s2mrbcJu/YeIGjavuoW7K
O2nEj5uy9zoeoFyjBFtIxI8wr4F4sOoPtiZZuQSfi2E0QpHS5kgUzIbtR+JuKe9l
X1oKnT+Jf14I+GHwCnbQwO3phPH9+FWKwaDSYw48/Rg6dV078erFmY2EgHNRWqBa
EYp3RbaQK0MDs7set9UJ3dWgOl9cmbBJ8N3glGxnqq1SeG6QPmyW4I03leBiPwzh
LC03d4O7fQpyP/F1zse+hMqLsbZwGCGMnnVr44Cm8t67mlobVVMm1ugeop0EZ5ss
8gx8W5Q+h95ItAi1rb06NoUwCxnk9CJeMo2fDGXcI3trgWejvLXa0xFcoAmrIE1m
L/c56Rmuy1AbkF381cer0oXhyc7pLFVqioLdfrRasrk6HaxVt5JQB0u6RR8KehcQ
djGoCypJlMkjWwh4TzBw
=hnhw
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.