[Python-modules-team] Bug#560755: [Secure-testing-team] Bug#560755: python-docutils: insecure use of temporary files
Michael Gilbert
michael.s.gilbert at gmail.com
Fri Dec 11 23:02:04 UTC 2009
On Fri, 11 Dec 2009 23:43:30 +0100 Jakub Wilk wrote:
> Package: python-docutils
> Version: 0.5-2
> Severity: grave
> Tags: security help
> Justification: user security hole
>
> Emacs major mode for reStructuredText (rst.el) uses temporary files
> with predictable names in an insecure fashion:
>
> | (defun rst-compile-pdf-preview ()
> | "Convert the document to a PDF file and launch a preview program."
> | (interactive)
> | (let* ((tmp-filename "/tmp/out.pdf")
> | (command (format "%s %s %s && %s %s"
> | (cadr (assq 'pdf rst-compile-toolsets))
> | buffer-file-name tmp-filename
> | rst-pdf-program tmp-filename)))
> | (start-process-shell-command "rst-pdf-preview" nil command)
> | ;; Note: you could also use (compile command) to view the compilation
> | ;; output.
> | ))
> [...]
> | (defun rst-compile-slides-preview ()
> | "Convert the document to an S5 slide presentation and launch a preview program."
> | (interactive)
> | (let* ((tmp-filename "/tmp/slides.html")
> | (command (format "%s %s %s && %s %s"
> | (cadr (assq 's5 rst-compile-toolsets))
> | buffer-file-name tmp-filename
> | rst-slides-program tmp-filename)))
> | (start-process-shell-command "rst-slides-preview" nil command)
> | ;; Note: you could also use (compile command) to view the compilation
> | ;; output.
> | ))
>
> How to reproduce/exploit this bug
> ---------------------------------
>
> Attacker:
> $ ln -sf /path/to/file/the/attacker/want/to/overwrite /tmp/slides.html
>
> Victim:
> $ emacs foo.rst
> M-x rst-mode
> C-c 5
this information seems to be for an emacs problem, but the bug was filed
against python-docutils. was this a mistake or is there a connection
between the two that i am missing?
mike
More information about the Python-modules-team
mailing list