Bug 1060304 (CVE-2014-1838, CVE-2014-1839)

Summary: CVE-2014-1838 CVE-2014-1839 python-logilab-common: multiple temporary file vulnerabilities
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED UPSTREAM QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: bcl, bkearney, cpelland, jrusnack, katello-bugs, mmccune, mrunge
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 02:31:18 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1060306, 1060307    
Bug Blocks: 1060305    

Description Vincent Danen 2014-01-31 18:21:34 UTC 
Jakub Wilk found and reported in a Debian bug report [1] the following flaws in the logilab-common Python module:

In logilab/common/pdf_ext.py it uses fully predictable names:

def extract_keys_from_pdf(filename):
    # what about using 'pdftk filename dump_data_fields' and parsing the output ?
    os.system('pdftk %s generate_fdf output /tmp/toto.fdf' % filename)
    lines = file('/tmp/toto.fdf').readlines()
    return extract_keys(lines)


def fill_pdf(infile, outfile, fields):
    write_fields(file('/tmp/toto.fdf', 'w'), fields)
    os.system('pdftk %s fill_form /tmp/toto.fdf output %s flatten' % (infile, outfile))


And in logilab/common/shellutils.py:

class Execute:
    """This is a deadlock safe version of popen2 (no stdin), that returns
    an object with errorlevel, out and err.
    """

    def __init__(self, command):
        outfile = tempfile.mktemp()
        errfile = tempfile.mktemp()
        self.status = os.system("( %s ) >%s 2>%s" %
                                (command, outfile, errfile)) >> 8
        self.out = open(outfile, "r").read()
        self.err = open(errfile, "r").read()
        os.remove(outfile)
        os.remove(errfile)


tempfile.mktemp() should be replaced with tempfile.mkstemp() as it is documented [2] as insecure.


[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737051
[2] http://docs.python.org/2/library/tempfile.html
Comment 1 Vincent Danen 2014-01-31 18:25:56 UTC 
Created python-logilab-common tracking bugs for this issue:

Affects: epel-all [bug 1060306]
Affects: fedora-all [bug 1060307]
Comment 2 Murray McAllister 2014-02-03 07:26:19 UTC 
The logilab/common/pdf_ext.py issue was assigned CVE-2014-1838

The logilab/common/shellutils.py issue was assigned CVE-2014-1839

Reference: http://seclists.org/oss-sec/2014/q1/226
Comment 3 Fedora Update System 2014-03-19 08:39:38 UTC 
pylint-1.1.0-1.fc20, python-astroid-1.0.1-2.fc20, python-logilab-common-0.61.0-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 4 Kurt Seifried 2014-07-16 06:17:57 UTC 
Sat6 no longer contains this package, as it won't be included in the Sat6 GA I'm removing it from the whiteboard.
Comment 5 Fedora Update System 2015-02-27 22:41:24 UTC 
pylint-1.3.1-1.el6, python-logilab-common-0.62.1-2.el6, python-astroid-1.2.1-2.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Product Security DevOps Team 2019-06-08 02:31:18 UTC 
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.