tag.py in eyeD3 allows local users to modify arbitrary files via a symlink attack on a temporary file.

Issue #65 resolved
Niranjan Mallapadi
created an issue

Greetings,

My name is Niranjan and I am a fedora contributor and this is regarding CVE-2014-1934[1], tag.py in eyed3/id3/ directory uses mktemp() to create temporary file, and this function is prone to symlink attacks.

Would it be possible to replace mktemp() with mkstemp[2] instead.

  1. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1934
  2. https://docs.python.org/2/library/tempfile.html

Fedora Bug: https://bugzilla.redhat.com/show_bug.cgi?id=1063672

Regards Niranjan

Comments (3)

  1. Log in to comment