Control: tags -1 + patch Here is the patch I backported from upstream to the older version in Debian. I just uploaed it in 0.6.18-3 as debian/patches/CVE-2014-1934.patch.
Description: Avoid insecure use of file in /tmp/ Based on upstream fix for CVE-2014-1934, <URL: https://bitbucket.org/nicfit/eyed3/commits/372bbacb7a70 >, adjusted to cope with the older version of the code. Author: Petter Reinholdtsen <p...@hungry.com> Bug: https://bitbucket.org/nicfit/eyed3/issue/65/tagpy-in-eyed3-allows-local-users-to Bug-Debian: https://bugs.debian.org/737062 Forwarded: not-needed Reviewed-By: Petter Reinholdtsen <p...@hungry.com> Last-Update: 2016-09-10 --- eyed3-0.6.18.orig/src/eyeD3/tag.py +++ eyed3-0.6.18/src/eyeD3/tag.py @@ -561,8 +561,7 @@ class Tag: tagFile.seek(tagSize); # Open tmp file - tmpName = tempfile.mktemp(); - tmpFile = file(tmpName, "w+b"); + tmpFile = tempfile.NamedTemporaryFile("wb", delete=False); # Write audio data in chunks self.__copyRemaining(tagFile, tmpFile); @@ -572,8 +571,8 @@ class Tag: tmpFile.close(); # Move tmp to orig. - shutil.copyfile(tmpName, self.linkedFile.name); - os.unlink(tmpName); + shutil.copyfile(tmpFile.name, self.linkedFile.name); + os.unlink(tmpFile.name); retval |= 1; @@ -1309,8 +1308,7 @@ class Tag: tagFile.close(); else: # Open tmp file - tmpName = tempfile.mktemp(); - tmpFile = file(tmpName, "w+b"); + tmpFile = tempfile.NamedTemporaryFile("wb", delete=False); TRACE_MSG("Writing %d bytes of tag data" % len(tagData)); tmpFile.write(tagData); @@ -1329,8 +1327,8 @@ class Tag: tmpFile.close(); # Move tmp to orig. - shutil.copyfile(tmpName, self.linkedFile.name); - os.unlink(tmpName); + shutil.copyfile(tmpFile.name, self.linkedFile.name); + os.unlink(tmpFile.name); # Update our state. TRACE_MSG("Tag write complete. Updating state."); -- Happy hacking Petter Reinholdtsen
