Jakub Wilk found and reported in a Debian bug report  the following flaws in the logilab-common Python module:
In logilab/common/pdf_ext.py it uses fully predictable names:
# what about using 'pdftk filename dump_data_fields' and parsing the output ?
os.system('pdftk %s generate_fdf output /tmp/toto.fdf' % filename)
lines = file('/tmp/toto.fdf').readlines()
def fill_pdf(infile, outfile, fields):
write_fields(file('/tmp/toto.fdf', 'w'), fields)
os.system('pdftk %s fill_form /tmp/toto.fdf output %s flatten' % (infile, outfile))
And in logilab/common/shellutils.py:
"""This is a deadlock safe version of popen2 (no stdin), that returns
an object with errorlevel, out and err.
def __init__(self, command):
outfile = tempfile.mktemp()
errfile = tempfile.mktemp()
self.status = os.system("( %s ) >%s 2>%s" %
(command, outfile, errfile)) >> 8
self.out = open(outfile, "r").read()
self.err = open(errfile, "r").read()
tempfile.mktemp() should be replaced with tempfile.mkstemp() as it is documented  as insecure.
Created python-logilab-common tracking bugs for this issue:
Affects: epel-all [bug 1060306]
Affects: fedora-all [bug 1060307]
The logilab/common/pdf_ext.py issue was assigned CVE-2014-1838
The logilab/common/shellutils.py issue was assigned CVE-2014-1839
pylint-1.1.0-1.fc20, python-astroid-1.0.1-2.fc20, python-logilab-common-0.61.0-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
Sat6 no longer contains this package, as it won't be included in the Sat6 GA I'm removing it from the whiteboard.
pylint-1.3.1-1.el6, python-logilab-common-0.62.1-2.el6, python-astroid-1.2.1-2.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.