CVE request: temp file issues in python's logilab-common module

["Vincent Danen" <vdanen () redhat com>]

Some temporary file issues were reported by Jakub Wilk (quoting from our bug report):

In logilab/common/pdf_ext.py it uses fully predictable names:

def extract_keys_from_pdf(filename):
    # what about using 'pdftk filename dump_data_fields' and parsing the output ?
    os.system('pdftk %s generate_fdf output /tmp/toto.fdf' % filename)
    lines = file('/tmp/toto.fdf').readlines()
    return extract_keys(lines)


def fill_pdf(infile, outfile, fields):
    write_fields(file('/tmp/toto.fdf', 'w'), fields)
    os.system('pdftk %s fill_form /tmp/toto.fdf output %s flatten' % (infile, outfile))


And in logilab/common/shellutils.py:

class Execute:
    """This is a deadlock safe version of popen2 (no stdin), that returns
    an object with errorlevel, out and err.
    """

    def __init__(self, command):
        outfile = tempfile.mktemp()
        errfile = tempfile.mktemp()
        self.status = os.system("( %s ) >%s 2>%s" %
                                (command, outfile, errfile)) >> 8
        self.out = open(outfile, "r").read()
        self.err = open(errfile, "r").read()
        os.remove(outfile)
        os.remove(errfile)


tempfile.mktemp() should be replaced with tempfile.mkstemp() as it is documented as insecure.


I don't believe a CVE has been requested for this already.  Can one be assigned please?


References:
https://bugzilla.redhat.com/show_bug.cgi?id=1060304
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737051
https://bugs.gentoo.org/show_bug.cgi?id=499872
http://secunia.com/advisories/56720/

-- 
Vincent Danen / Red Hat Security Response Team

Attachment: signature.asc
Description: OpenPGP digital signature