Bug#737062: python-eyed3: CVE-2014-1934: insecure use of /tmp
Control: tags -1 + patch
Here is the patch I backported from upstream to the older version in
Debian. I just uploaed it in 0.6.18-3 as
debian/patches/CVE-2014-1934.patch.
Description: Avoid insecure use of file in /tmp/
Based on upstream fix for CVE-2014-1934,
<URL: https://bitbucket.org/nicfit/eyed3/commits/372bbacb7a70 >,
adjusted to cope with the older version of the code.
Author: Petter Reinholdtsen <pere@hungry.com>
Bug: https://bitbucket.org/nicfit/eyed3/issue/65/tagpy-in-eyed3-allows-local-users-to
Bug-Debian: https://bugs.debian.org/737062
Forwarded: not-needed
Reviewed-By: Petter Reinholdtsen <pere@hungry.com>
Last-Update: 2016-09-10
--- eyed3-0.6.18.orig/src/eyeD3/tag.py
+++ eyed3-0.6.18/src/eyeD3/tag.py
@@ -561,8 +561,7 @@ class Tag:
tagFile.seek(tagSize);
# Open tmp file
- tmpName = tempfile.mktemp();
- tmpFile = file(tmpName, "w+b");
+ tmpFile = tempfile.NamedTemporaryFile("wb", delete=False);
# Write audio data in chunks
self.__copyRemaining(tagFile, tmpFile);
@@ -572,8 +571,8 @@ class Tag:
tmpFile.close();
# Move tmp to orig.
- shutil.copyfile(tmpName, self.linkedFile.name);
- os.unlink(tmpName);
+ shutil.copyfile(tmpFile.name, self.linkedFile.name);
+ os.unlink(tmpFile.name);
retval |= 1;
@@ -1309,8 +1308,7 @@ class Tag:
tagFile.close();
else:
# Open tmp file
- tmpName = tempfile.mktemp();
- tmpFile = file(tmpName, "w+b");
+ tmpFile = tempfile.NamedTemporaryFile("wb", delete=False);
TRACE_MSG("Writing %d bytes of tag data" % len(tagData));
tmpFile.write(tagData);
@@ -1329,8 +1327,8 @@ class Tag:
tmpFile.close();
# Move tmp to orig.
- shutil.copyfile(tmpName, self.linkedFile.name);
- os.unlink(tmpName);
+ shutil.copyfile(tmpFile.name, self.linkedFile.name);
+ os.unlink(tmpFile.name);
# Update our state.
TRACE_MSG("Tag write complete. Updating state.");
--
Happy hacking
Petter Reinholdtsen
Reply to: