From ${URL} : eyeD3/tag.py contains this code (twice): # Open tmp file tmpName = tempfile.mktemp(); tmpFile = file(tmpName, "w+b"); From the tempfile.mktemp() docstring: “This function is unsafe and should not be used. The file name refers to a file that did not exist at some point, but by the time you get around to creating it, someone else may have beaten you to the punch.” @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
CVE-2014-1934 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1934): tag.py in eyeD3 (aka python-eyed3) 7.0.3, 0.6.18, and earlier for Python allows local users to modify arbitrary files via a symlink attack on a temporary file.
@maintainers: please clarify is :0 slot is fixed or not and change bug description accordingly
dev-python/eyeD3-0.6.18-r1:0 and dev-python/eyeD3-0.7.4-r1:0.7 both utilize tempfile.mktemp(). % grep -RF mktemp eyeD3-0.6.18/src/eyeD3/tag.py: tmpName = tempfile.mktemp(); eyeD3-0.6.18/src/eyeD3/tag.py: tmpName = tempfile.mktemp(); % grep -RF mktemp eyeD3-0.7.4/src/eyed3/id3/tag.py: tmp_name = tempfile.mktemp() eyeD3-0.7.4/src/eyed3/id3/tag.py: tmp_name = tempfile.mktemp() We would need to patch both versions. dev-python/eyeD3 has no reverse dependencies, so I think we should just mask/remove it. If somebody from the sound herd wants to step in to save it, now would be a good time to speak up.
anyone? Upstream Version: 0.7.5 http://eyed3.nicfit.net/releases/eyeD3-0.7.5.tgz * dev-python/eyeD3 Available versions: (0) 0.6.18 (~)0.6.18-r1 (~)0.6.18-r2 (0.7) (~)0.7.1 (~)0.7.4 (~)0.7.4-r1 (~)0.7.4-r2 {PYTHON_TARGETS="python2_7"} Wondering why it' not masked and long removed
Please go ahead.
no, this bug is not a reason to remove eyeD3 which is used in tree by multiple reverse dependencies, including mutagen, which in turn is used by another multiple reverse dependencies leave it alone if you don't have a fix
Hmm... not sure how I missed those back in May. Sorry about that.
*eyeD3-0.7.5 (18 Sep 2014) 18 Sep 2014; Ian Delaney <idella4@gentoo.org> +eyeD3-0.7.5.ebuild: bump
eyeD3:0 has been removed from the tree. Arch teams: Please get 0.7.5 stable Security: Please vote for GLSA
amd64 stable
x86 stable
Stable for HPPA PPC64.
sparc stable
arm stable
ppc stable
alpha stable
ia64 stable
Arches, Thank you for your work. GLSA Vote: No Maintainer(s), please drop the vulnerable version(s).
25 Jul 2015; Ian Delaney <idella4@gentoo.org> -eyeD3-0.7.4-r2.ebuild, eyeD3-0.7.5.ebuild: remove redundant ref to instances of this package of SLOT 0, clean old version wrt bug #548966
GLSA Vote: No