Thanks for the report, Jakub.
On Wed, Jan 29, 2014 at 20:27:58 +0100, Jakub Wilk wrote:
> Package: python-logilab-common
> Version: 0.60.1-1
> Severity: important
> Tags: security
>
> I saw these gems in logilab/common/pdf_ext.py:
>
> def extract_keys_from_pdf(filename):
> # what about usin
Control: retitle -1 python-logilab-common: insecure use of /tmp (CVE-2014-1838
CVE-2014-1839)
Hi Jakub,
FYI, two CVEs were assigned for these issues: CVE-2014-1838 and
CVE-2014-1839, see [1] for the assignment.
[1] http://marc.info/?l=oss-security&m=139139947905109&w=2
Regards,
Salvatore
--
More vulnerable code in logilab/common/shellutils.py:
class Execute:
"""This is a deadlock safe version of popen2 (no stdin), that returns
an object with errorlevel, out and err.
"""
def __init__(self, command):
outfile = tempfile.mktemp()
errfile = tempfile.mktem
Package: python-logilab-common
Version: 0.60.1-1
Severity: important
Tags: security
I saw these gems in logilab/common/pdf_ext.py:
def extract_keys_from_pdf(filename):
# what about using 'pdftk filename dump_data_fields' and parsing the output
?
os.system('pdftk %s generate_fdf output /
4 matches
Mail list logo
