[Freewx-maint] Bug#775461: python-wxgtk3.0: wx.tools.img2py: insecure use of /tmp

Jakub Wilk jwilk at debian.org
Thu Jan 15 21:35:39 UTC 2015


Package: python-wxgtk3.0
Version: 3.0.1.1+dfsg-2
Tags: security

This is how wx.tools.img2py uses temporary files (with boring parts 
snipped):

    tfname = tempfile.mktemp()
    try:
        ok, msg = convert(image_file, maskClr, None, tfname, wx.BITMAP_TYPE_PNG, ".png")
        # ...
    finally:
        # ...


This is insecure, because mktemp() returns just a filename, without 
creating the file on disk. From the documentation: "Use of this function 
may introduce a security hole in your program. By the time you get 
around to doing anything with the file name it returns, someone else may 
have beaten you to the punch."

Unfortunately, we have embedded copies of this code in the archive:
https://codesearch.debian.net/search?q=tempfile.mktemp+path%3Aimg2py.py

-- 
Jakub Wilk



More information about the Freewx-maint mailing list