[Bug 793502] [NEW] Insecure temporary file creation in fsm_draw.py

Emanuel Bronshtein Mon, 06 Jun 2011 05:51:15 -0700

Public bug reported:

Binary package hint: python-ubuntuone-client


ubuntuone-client/ubuntuone/syncdaemon/fsm/fsm_draw.py create temporary
file with fixed name "graph.debug" under /tmp .

test case :
emanuel@emanuel-desktop:~$ export PYTHONPATH=/usr/share/xdot/
emanuel@emanuel-desktop:~$ python 
/usr/share/pyshared/ubuntuone-client/ubuntuone/syncdaemon/fsm/fsm_draw.py 
/usr/share/pyshared/ubuntuone-client/ubuntuone/syncdaemon/u1fsfsm.py
Parsing file...   (Mon Jun  6 15:32:14 2011)
Building graph... (Mon Jun  6 15:32:16 2011)
Drawing...        (Mon Jun  6 15:32:16 2011)
emanuel@emanuel-desktop:~$ ls -laF /tmp/graph.debug 
-rw-r--r-- 1 emanuel emanuel 13587 2011-06-06 15:32 /tmp/graph.debug

the bug can be found at :
    dotcode = graph_base % "\n".join(graph_lines)
    if debug:
        a = open("/tmp/graph.debug", "w")
        a.write(dotcode)
        a.close()

fix : use mkstemp alike functionality.

** Affects: ubuntuone-client (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/793502

Title:
  Insecure temporary file creation in fsm_draw.py

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 793502] [NEW] Insecure temporary file creation in fsm_draw.py

Reply via email to