Package: python-docutils Version: 0.5-2 Severity: grave Tags: security help Justification: user security hole
Emacs major mode for reStructuredText (rst.el) uses temporary files with predictable names in an insecure fashion: | (defun rst-compile-pdf-preview () | "Convert the document to a PDF file and launch a preview program." | (interactive) | (let* ((tmp-filename "/tmp/out.pdf") | (command (format "%s %s %s && %s %s" | (cadr (assq 'pdf rst-compile-toolsets)) | buffer-file-name tmp-filename | rst-pdf-program tmp-filename))) | (start-process-shell-command "rst-pdf-preview" nil command) | ;; Note: you could also use (compile command) to view the compilation | ;; output. | )) [...] | (defun rst-compile-slides-preview () | "Convert the document to an S5 slide presentation and launch a preview program." | (interactive) | (let* ((tmp-filename "/tmp/slides.html") | (command (format "%s %s %s && %s %s" | (cadr (assq 's5 rst-compile-toolsets)) | buffer-file-name tmp-filename | rst-slides-program tmp-filename))) | (start-process-shell-command "rst-slides-preview" nil command) | ;; Note: you could also use (compile command) to view the compilation | ;; output. | )) How to reproduce/exploit this bug --------------------------------- Attacker: $ ln -sf /path/to/file/the/attacker/want/to/overwrite /tmp/slides.html Victim: $ emacs foo.rst M-x rst-mode C-c 5 -- Jakub Wilk
signature.asc
Description: Digital signature
