Bug 861822 - (CVE-2014-1838) VUL-0: CVE-2014-1838: python-logilab-common: multiple temporary file vulnerabilities
(CVE-2014-1838)
VUL-0: CVE-2014-1838: python-logilab-common: multiple temporary file vulnerab...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Dirk Mueller
Security Team bot
maint:released:sle11-sp3:56107
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2014-02-03 13:03 UTC by Victor Pereira
Modified: 2014-03-07 10:07 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Victor Pereira 2014-02-03 13:03:26 UTC
CVE-2014-1838 and CVE-2014-1839

Two vulnerabilities in python-logilab-common module were found. Both are related with temporary file handling.

first one CVE-2014-1838:

In logilab/common/pdf_ext.py it uses fully predictable names:

def extract_keys_from_pdf(filename):
    # what about using 'pdftk filename dump_data_fields' and parsing the output ?
    os.system('pdftk %s generate_fdf output /tmp/toto.fdf' % filename)
    lines = file('/tmp/toto.fdf').readlines()
    return extract_keys(lines)


def fill_pdf(infile, outfile, fields):
    write_fields(file('/tmp/toto.fdf', 'w'), fields)
    os.system('pdftk %s fill_form /tmp/toto.fdf output %s flatten' % (infile, outfile))


the second one CVE-2014-1839:

in logilab/common/shellutils.py:

class Execute:
    """This is a deadlock safe version of popen2 (no stdin), that returns
    an object with errorlevel, out and err.
    """

    def __init__(self, command):
        outfile = tempfile.mktemp()
        errfile = tempfile.mktemp()
        self.status = os.system("( %s ) >%s 2>%s" %
                                (command, outfile, errfile)) >> 8
        self.out = open(outfile, "r").read()
        self.err = open(errfile, "r").read()
        os.remove(outfile)
        os.remove(errfile)


tempfile.mktemp() should be replaced with tempfile.mkstemp().

References:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737051
https://bugs.gentoo.org/show_bug.cgi?id=499872
https://bugzilla.redhat.com/show_bug.cgi?id=1060304
http://secunia.com/advisories/56720/
http://comments.gmane.org/gmane.comp.security.oss.general/11986
Comment 1 Swamp Workflow Management 2014-02-03 13:16:46 UTC
The SWAMPID for this issue is 56094.
This issue was rated as moderate.
Please submit fixed packages until 2014-02-17.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.
Comment 2 Swamp Workflow Management 2014-02-03 23:00:58 UTC
bugbot adjusting priority
Comment 4 Swamp Workflow Management 2014-02-27 11:47:25 UTC
Update released for: python-logilab-common
Products:
SLE-SDK 11-SP3 (i386, ia64, ppc64, s390x, x86_64)
Comment 5 Swamp Workflow Management 2014-02-27 15:04:24 UTC
SUSE-SU-2014:0301-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 861822
CVE References: CVE-2014-1838,CVE-2014-1839
Sources used:
SUSE Linux Enterprise Software Development Kit 11 SP3 (src):    python-logilab-common-0.56.2-1.9.1
Comment 6 Swamp Workflow Management 2014-02-28 10:04:23 UTC
openSUSE-SU-2014:0306-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 861822
CVE References: CVE-2014-1838,CVE-2014-1839
Sources used:
openSUSE 13.1 (src):    python-logilab-common-0.58.0-7.4.1
openSUSE 12.3 (src):    python-logilab-common-0.58.0-4.4.1, python3-logilab-common-0.58.0-4.4.1
Comment 7 Marcus Meissner 2014-03-07 10:07:42 UTC
rekeased