Jakub Wilk discovered two instances in tag.py where temporary files were created insecurely via mktemp(). A local attacker could use this flaw to perform a symbolic link attack to modify an arbitrary file. Further details are available in the original report: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737062
Created python-eyed3 tracking bugs for this issue: Affects: fedora-all [bug 1063672] Affects: epel-6 [bug 1063673]
Upstream has fixed the Issue: https://bitbucket.org/nicfit/eyed3/commits/372bbacb7a70
Created attachment 958810 [details] sym link attact patch Protect against sym link attack in tag.py
Created attachment 958847 [details] python-eyed3 spec file Modified python-eyed3 spec file containing sym link attack patch. This Patch is for fedora 20.
Created attachment 958849 [details] Modified sym link attack patch Modified the patch so that python-eyed3 can be built successfully with this patch.
python-eyed3-0.7.4-4.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
python-eyed3-0.7.4-4.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
python-eyed3-0.7.4-5.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
python-eyed3-0.7.4-4.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.
python-eyed3-0.7.4-4.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.