500960 – (CVE-2014-1934) <dev-python/eyeD3-0.7.5: insecure use of /tmp (CVE-2014-1934)

Bug 500960 (CVE-2014-1934) - <dev-python/eyeD3-0.7.5: insecure use of /tmp (CVE-2014-1934)

Summary: <dev-python/eyeD3-0.7.5: insecure use of /tmp (CVE-2014-1934)

Status:	RESOLVED FIXED

Alias:	CVE-2014-1934

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:	https://bugs.debian.org/cgi-bin/bugre...
Whiteboard:	B4 [noglsa cve]
Keywords:

Depends on:
Blocks:

Reported:	2014-02-11 08:47 UTC by Agostino Sarubbo
Modified:	2015-09-08 06:33 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Agostino Sarubbo gentoo-dev

2014-02-11 08:47:53 UTC

From ${URL} :

eyeD3/tag.py contains this code (twice):

            # Open tmp file
            tmpName = tempfile.mktemp();
            tmpFile = file(tmpName, "w+b");

From the tempfile.mktemp() docstring: “This function is unsafe and 
should not be used. The file name refers to a file that did not exist at 
some point, but by the time you get around to creating it, someone else 
may have beaten you to the punch.”



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.

Comment 1 GLSAMaker/CVETool Bot gentoo-dev

2014-05-16 12:30:24 UTC

CVE-2014-1934 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1934):
  tag.py in eyeD3 (aka python-eyed3) 7.0.3, 0.6.18, and earlier for Python
  allows local users to modify arbitrary files via a symlink attack on a
  temporary file.

Comment 2 Sergey Popov gentoo-dev

2014-05-16 12:33:58 UTC

@maintainers: please clarify is :0 slot is fixed or not and change bug description accordingly

Comment 3 Mike Gilbert gentoo-dev

2014-05-17 16:44:02 UTC

dev-python/eyeD3-0.6.18-r1:0 and dev-python/eyeD3-0.7.4-r1:0.7 both utilize tempfile.mktemp().

% grep -RF mktemp   
eyeD3-0.6.18/src/eyeD3/tag.py:            tmpName = tempfile.mktemp();
eyeD3-0.6.18/src/eyeD3/tag.py:         tmpName = tempfile.mktemp();

% grep -RF mktemp         
eyeD3-0.7.4/src/eyed3/id3/tag.py:                tmp_name = tempfile.mktemp()
eyeD3-0.7.4/src/eyed3/id3/tag.py:                    tmp_name = tempfile.mktemp()

We would need to patch both versions.

dev-python/eyeD3 has no reverse dependencies, so I think we should just mask/remove it. If somebody from the sound herd wants to step in to save it, now would be a good time to speak up.

Comment 4 Ian Delaney (RETIRED) gentoo-dev

2014-09-18 03:34:08 UTC

anyone?
Upstream Version: 0.7.5 http://eyed3.nicfit.net/releases/eyeD3-0.7.5.tgz

* dev-python/eyeD3
     Available versions:  
     (0)    0.6.18 (~)0.6.18-r1 (~)0.6.18-r2
     (0.7)  (~)0.7.1 (~)0.7.4 (~)0.7.4-r1 (~)0.7.4-r2
       {PYTHON_TARGETS="python2_7"}

Wondering why it' not masked and long removed

Comment 5 Mike Gilbert gentoo-dev

2014-09-18 04:00:47 UTC

Please go ahead.

Comment 6 Samuli Suominen (RETIRED) gentoo-dev

2014-09-18 04:24:25 UTC

no, this bug is not a reason to remove eyeD3 which is used in tree by multiple reverse dependencies, including mutagen, which in turn is used by another multiple reverse dependencies
leave it alone if you don't have a fix

Comment 7 Mike Gilbert gentoo-dev

2014-09-18 11:39:39 UTC

Hmm... not sure how I missed those back in May. Sorry about that.

Comment 8 Ian Delaney (RETIRED) gentoo-dev

2014-09-18 15:13:20 UTC

*eyeD3-0.7.5 (18 Sep 2014)

  18 Sep 2014; Ian Delaney <idella4@gentoo.org> +eyeD3-0.7.5.ebuild:
  bump

Comment 9 Manuel Rüger (RETIRED) gentoo-dev

2015-06-13 09:10:04 UTC

eyeD3:0 has been removed from the tree. 

Arch teams: Please get 0.7.5 stable

Security: Please vote for GLSA

Comment 10 Agostino Sarubbo gentoo-dev

2015-06-13 10:25:58 UTC

amd64 stable

Comment 11 Agostino Sarubbo gentoo-dev

2015-06-13 10:27:14 UTC

x86 stable

Comment 12 Jeroen Roovers (RETIRED) gentoo-dev

2015-06-13 11:05:00 UTC

Stable for HPPA PPC64.

Comment 13 Agostino Sarubbo gentoo-dev

2015-06-17 08:51:28 UTC

sparc stable

Comment 14 Markus Meier gentoo-dev

2015-06-19 17:12:55 UTC

arm stable

Comment 15 Agostino Sarubbo gentoo-dev

2015-06-24 08:09:33 UTC

ppc stable

Comment 16 Agostino Sarubbo gentoo-dev

2015-07-03 08:33:25 UTC

alpha stable

Comment 17 Mikle Kolyada (RETIRED) archtester

2015-07-16 19:36:52 UTC

ia64 stable

Comment 18 Yury German Gentoo Infrastructure

2015-07-21 02:24:45 UTC

Arches, Thank you for your work.
GLSA Vote: No
Maintainer(s), please drop the vulnerable version(s).

Comment 19 Ian Delaney (RETIRED) gentoo-dev

2015-07-25 00:29:38 UTC

  25 Jul 2015; Ian Delaney <idella4@gentoo.org> -eyeD3-0.7.4-r2.ebuild,
  eyeD3-0.7.5.ebuild:
  remove redundant ref to instances of this package of SLOT 0, clean old version
  wrt bug #548966

Comment 20 Kristian Fiskerstrand (RETIRED) gentoo-dev

2015-09-08 06:33:12 UTC

GLSA Vote: No