oss-sec mailing list archives

LinuxMint - temp file creation vulns in mintNanny and mintUpdate

From: Kurt Seifried <kseifried () redhat com>
Date: Mon, 19 Mar 2012 13:34:28 -0600

mscherer () redhat com reported these to me:

Two issues in LinuxMint:

First a temporary file creation flaw in mintNanny:

https://github.com/linuxmint/mintnanny/blob/master/usr/lib/linuxmint/mintNanny/mintNanny.py#L70


Please use CVE-2012-1566 for this issue

Secondly a temporary file creation flaw in mintUpdate:

https://github.com/linuxmint/mintupdate/blob/master/usr/lib/linuxmint/mintUpdate/mintUpdate.py#L1444


Please use CVE-2012-1567 for this issue.

Also a note on fixing these issues:

Python

Simply use “mkstemp” from the “tempfile” module:

http://docs.python.org/library/tempfile.html#tempfile.mkstemp

I tried to find a LinuxMint security contact, nothing on the website
(e.g. http://www.linuxmint.com/teams.php), someone suggested
root () linuxmint com, here's hoping they see it.

-- 
Kurt Seifried Red Hat Security Response Team (SRT)

Current thread:

LinuxMint - temp file creation vulns in mintNanny and mintUpdate Kurt Seifried (Mar 19)