Bug 861822 (CVE-2014-1838)

Summary: VUL-0: CVE-2014-1838: python-logilab-common: multiple temporary file vulnerabilities
Product: [Novell Products] SUSE Security Incidents Reporter: Victor Pereira <vpereira>
Component: IncidentsAssignee: Dirk Mueller <dmueller>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: meissner, security-team
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard: maint:released:sle11-sp3:56107
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Victor Pereira 2014-02-03 13:03:26 UTC 
CVE-2014-1838 and CVE-2014-1839

Two vulnerabilities in python-logilab-common module were found. Both are related with temporary file handling.

first one CVE-2014-1838:

In logilab/common/pdf_ext.py it uses fully predictable names:

def extract_keys_from_pdf(filename):
    # what about using 'pdftk filename dump_data_fields' and parsing the output ?
    os.system('pdftk %s generate_fdf output /tmp/toto.fdf' % filename)
    lines = file('/tmp/toto.fdf').readlines()
    return extract_keys(lines)


def fill_pdf(infile, outfile, fields):
    write_fields(file('/tmp/toto.fdf', 'w'), fields)
    os.system('pdftk %s fill_form /tmp/toto.fdf output %s flatten' % (infile, outfile))


the second one CVE-2014-1839:

in logilab/common/shellutils.py:

class Execute:
    """This is a deadlock safe version of popen2 (no stdin), that returns
    an object with errorlevel, out and err.
    """

    def __init__(self, command):
        outfile = tempfile.mktemp()
        errfile = tempfile.mktemp()
        self.status = os.system("( %s ) >%s 2>%s" %
                                (command, outfile, errfile)) >> 8
        self.out = open(outfile, "r").read()
        self.err = open(errfile, "r").read()
        os.remove(outfile)
        os.remove(errfile)


tempfile.mktemp() should be replaced with tempfile.mkstemp().

References:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737051
https://bugs.gentoo.org/show_bug.cgi?id=499872
https://bugzilla.redhat.com/show_bug.cgi?id=1060304
http://secunia.com/advisories/56720/
http://comments.gmane.org/gmane.comp.security.oss.general/11986
Comment 1 Swamp Workflow Management 2014-02-03 13:16:46 UTC 
The SWAMPID for this issue is 56094.
This issue was rated as moderate.
Please submit fixed packages until 2014-02-17.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.
Comment 2 Swamp Workflow Management 2014-02-03 23:00:58 UTC 
bugbot adjusting priority
Comment 4 Swamp Workflow Management 2014-02-27 11:47:25 UTC 
Update released for: python-logilab-common
Products:
SLE-SDK 11-SP3 (i386, ia64, ppc64, s390x, x86_64)
Comment 5 Swamp Workflow Management 2014-02-27 15:04:24 UTC 
SUSE-SU-2014:0301-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 861822
CVE References: CVE-2014-1838,CVE-2014-1839
Sources used:
SUSE Linux Enterprise Software Development Kit 11 SP3 (src):    python-logilab-common-0.56.2-1.9.1
Comment 6 Swamp Workflow Management 2014-02-28 10:04:23 UTC 
openSUSE-SU-2014:0306-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 861822
CVE References: CVE-2014-1838,CVE-2014-1839
Sources used:
openSUSE 13.1 (src):    python-logilab-common-0.58.0-7.4.1
openSUSE 12.3 (src):    python-logilab-common-0.58.0-4.4.1, python3-logilab-common-0.58.0-4.4.1
Comment 7 Marcus Meissner 2014-03-07 10:07:42 UTC 
rekeased