Debian Bug report logs -
#737051
python-logilab-common: insecure use of /tmp (CVE-2014-1838 CVE-2014-1839)
Reported by: Jakub Wilk <jwilk@debian.org>
Date: Wed, 29 Jan 2014 19:30:02 UTC
Severity: important
Tags: fixed-upstream, security, upstream
Found in version logilab-common/0.60.1-1
Fixed in version logilab-common/0.61.0-1
Done: Sandro Tosi <morph@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, jwilk@debian.org, Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>:
Bug#737051; Package python-logilab-common.
(Wed, 29 Jan 2014 19:30:06 GMT) (full text, mbox, link).
Message #3 received at submit@bugs.debian.org (full text, mbox, reply):
Package: python-logilab-common
Version: 0.60.1-1
Severity: important
Tags: security
I saw these gems in logilab/common/pdf_ext.py:
def extract_keys_from_pdf(filename):
# what about using 'pdftk filename dump_data_fields' and parsing the output ?
os.system('pdftk %s generate_fdf output /tmp/toto.fdf' % filename)
lines = file('/tmp/toto.fdf').readlines()
return extract_keys(lines)
def fill_pdf(infile, outfile, fields):
write_fields(file('/tmp/toto.fdf', 'w'), fields)
os.system('pdftk %s fill_form /tmp/toto.fdf output %s flatten' % (infile, outfile))
--
Jakub Wilk
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>:
Bug#737051; Package python-logilab-common.
(Wed, 29 Jan 2014 20:24:05 GMT) (full text, mbox, link).
Message #6 received at 737051@bugs.debian.org (full text, mbox, reply):
More vulnerable code in logilab/common/shellutils.py:
class Execute:
"""This is a deadlock safe version of popen2 (no stdin), that returns
an object with errorlevel, out and err.
"""
def __init__(self, command):
outfile = tempfile.mktemp()
errfile = tempfile.mktemp()
self.status = os.system("( %s ) >%s 2>%s" %
(command, outfile, errfile)) >> 8
self.out = open(outfile, "r").read()
self.err = open(errfile, "r").read()
os.remove(outfile)
os.remove(errfile)
From the tempfile.mktemp() docstring: “This function is unsafe and
should not be used. The file name refers to a file that did not exist at
some point, but by the time you get around to creating it, someone else
may have beaten you to the punch.”
--
Jakub Wilk
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>:
Bug#737051; Package python-logilab-common.
(Mon, 03 Feb 2014 05:36:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>.
(Mon, 03 Feb 2014 05:36:05 GMT) (full text, mbox, link).
Message #11 received at 737051@bugs.debian.org (full text, mbox, reply):
Control: retitle -1 python-logilab-common: insecure use of /tmp (CVE-2014-1838 CVE-2014-1839)
Hi Jakub,
FYI, two CVEs were assigned for these issues: CVE-2014-1838 and
CVE-2014-1839, see [1] for the assignment.
[1] http://marc.info/?l=oss-security&m=139139947905109&w=2
Regards,
Salvatore
Changed Bug title to 'python-logilab-common: insecure use of /tmp (CVE-2014-1838 CVE-2014-1839)' from 'python-logilab-common: insecure use of /tmp'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 737051-submit@bugs.debian.org.
(Mon, 03 Feb 2014 05:36:05 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>:
Bug#737051; Package python-logilab-common.
(Mon, 03 Feb 2014 14:15:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Julien Cristau <julien.cristau@logilab.fr>:
Extra info received and forwarded to list. Copy sent to Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>.
(Mon, 03 Feb 2014 14:15:04 GMT) (full text, mbox, link).
Message #18 received at 737051@bugs.debian.org (full text, mbox, reply):
Thanks for the report, Jakub.
On Wed, Jan 29, 2014 at 20:27:58 +0100, Jakub Wilk wrote:
> Package: python-logilab-common
> Version: 0.60.1-1
> Severity: important
> Tags: security
>
> I saw these gems in logilab/common/pdf_ext.py:
>
> def extract_keys_from_pdf(filename):
> # what about using 'pdftk filename dump_data_fields' and parsing the output ?
> os.system('pdftk %s generate_fdf output /tmp/toto.fdf' % filename)
> lines = file('/tmp/toto.fdf').readlines()
> return extract_keys(lines)
>
> def fill_pdf(infile, outfile, fields):
> write_fields(file('/tmp/toto.fdf', 'w'), fields)
> os.system('pdftk %s fill_form /tmp/toto.fdf output %s flatten' % (infile, outfile))
>
Tracked upstream as http://www.logilab.org/ticket/207561
On Wed, Jan 29, 2014 at 21:21:49 +0100, Jakub Wilk wrote:
> More vulnerable code in logilab/common/shellutils.py:
>
> class Execute:
> """This is a deadlock safe version of popen2 (no stdin), that returns
> an object with errorlevel, out and err.
> """
>
> def __init__(self, command):
> outfile = tempfile.mktemp()
> errfile = tempfile.mktemp()
> self.status = os.system("( %s ) >%s 2>%s" %
> (command, outfile, errfile)) >> 8
> self.out = open(outfile, "r").read()
> self.err = open(errfile, "r").read()
> os.remove(outfile)
> os.remove(errfile)
>
> From the tempfile.mktemp() docstring: “This function is unsafe and
> should not be used. The file name refers to a file that did not
> exist at some point, but by the time you get around to creating it,
> someone else may have beaten you to the punch.”
>
Tracked as http://www.logilab.org/ticket/207562
Cheers,
Julien
--
Julien Cristau <julien.cristau@logilab.fr>
Logilab http://www.logilab.fr/
Informatique scientifique & gestion de connaissances
Added tag(s) upstream and fixed-upstream.
Request was from Julien Cristau <julien.cristau@logilab.fr>
to control@bugs.debian.org.
(Tue, 11 Feb 2014 17:39:05 GMT) (full text, mbox, link).
Added tag(s) pending.
Request was from morph@users.alioth.debian.org
to control@bugs.debian.org.
(Tue, 18 Feb 2014 16:42:11 GMT) (full text, mbox, link).
Reply sent
to Sandro Tosi <morph@debian.org>:
You have taken responsibility.
(Tue, 18 Feb 2014 19:21:05 GMT) (full text, mbox, link).
Notification sent
to Jakub Wilk <jwilk@debian.org>:
Bug acknowledged by developer.
(Tue, 18 Feb 2014 19:21:05 GMT) (full text, mbox, link).
Message #27 received at 737051-close@bugs.debian.org (full text, mbox, reply):
Source: logilab-common
Source-Version: 0.61.0-1
We believe that the bug you reported is fixed in the latest version of
logilab-common, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 737051@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sandro Tosi <morph@debian.org> (supplier of updated logilab-common package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Tue, 18 Feb 2014 20:03:39 +0100
Source: logilab-common
Binary: python-logilab-common python3-logilab-common
Architecture: source all
Version: 0.61.0-1
Distribution: unstable
Urgency: medium
Maintainer: Sandro Tosi <morph@debian.org>
Changed-By: Sandro Tosi <morph@debian.org>
Description:
python-logilab-common - useful miscellaneous modules used by Logilab projects
python3-logilab-common - useful miscellaneous modules used by Logilab projects (Python3)
Closes: 737051
Changes:
logilab-common (0.61.0-1) unstable; urgency=medium
.
* New upstream release
- fix insecure use of /tmp, thanks to Jakub Wilk for the report;
Closes: #737051
* Switch to dh_python2
* debian/control
- switch me to Maintainer (team to Uploaders)
* debian/copyright
- switch to DEP-5 format
Checksums-Sha1:
8a9d9b67972cbf7ca7d5ec9d4d7eab6baa42df46 1634 logilab-common_0.61.0-1.dsc
700c87f45133a8a20e1ac815f197cc1a5a408e27 199304 logilab-common_0.61.0.orig.tar.gz
b27a9255a4b9aded5d76c8e6193e2586d62d8792 7960 logilab-common_0.61.0-1.debian.tar.xz
539cc182ad26365a532eb57f65205eee6af2d77a 427084 python-logilab-common_0.61.0-1_all.deb
dec4f1bff2568afefe24f3b64b9f0bb22f2af4a5 130482 python3-logilab-common_0.61.0-1_all.deb
Checksums-Sha256:
b33c12d186264d2220b3960071a3c2aed9c0f93e70876a38a56ac17aa20efa2a 1634 logilab-common_0.61.0-1.dsc
0d92e78deeaa16bf23cd94d8b3ea41522d0a110db16657fbe22a52b959d65725 199304 logilab-common_0.61.0.orig.tar.gz
c081602050c9facc7dd1aafd2854770562c22c47cead4f592093b0795f3c4aea 7960 logilab-common_0.61.0-1.debian.tar.xz
e36adb02aaead81b5ac4c8f04c0b9da1eed3436c9e55cf1287449dad85caebc2 427084 python-logilab-common_0.61.0-1_all.deb
6f49eac0cf80f8c91f62d0c5603fe966afd7c2206565f22331dbda0ac338fdd1 130482 python3-logilab-common_0.61.0-1_all.deb
Files:
3662c6a4c6b1f3e74419b0a75eee1019 1634 python optional logilab-common_0.61.0-1.dsc
1506cb79a2468ddf7b09b6bf2855a697 199304 python optional logilab-common_0.61.0.orig.tar.gz
0181dd14a78955f9e449dc9326cde794 7960 python optional logilab-common_0.61.0-1.debian.tar.xz
e2dc229861623dd7ea1f7ef76ce23d0b 427084 python optional python-logilab-common_0.61.0-1_all.deb
2aa971ff98d9c2c7d48d3a9bf05b7f88 130482 python optional python3-logilab-common_0.61.0-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)
iEYEARECAAYFAlMDr4AACgkQAukwV0RN2VCpfwCffmFl9lBV3qkcoKjl7cUW/qMV
rqgAn2qXpmlG/XI2R2yFYB7UY9pWzU5i
=1T1l
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 24 Mar 2014 07:30:05 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:17:02 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon