CVE-2014-1838

Published: Mar 11, 2014Modified: May 6, 2026

4.4

Vector

AV:L/AC:M/Au:N/C:P/I:P/A:P

Exploitability: 3.4 / Impact: 6.4

Source: NVD

Description

The (1) extract_keys_from_pdf and (2) fill_pdf functions in pdf_ext.py in logilab-commons before 0.61.0 allows local users to overwrite arbitrary files and possibly have other unspecified impact via a symlink attack on /tmp/toto.fdf.

Affected (3)

Products: Opensuse: Opensuse · Logilab: Logilab Common

1 product

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Opensuse Opensuse	Version 12.3
Opensuse Opensuse	Version 13.1

Configuration B

1 vulnerable

Vulnerable Software	Affected Versions
Logilab Logilab Common	Up to 0.60.0

Related CWEs

CWE-59

Improper Link Resolution Before File Access ('Link Following')

The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

References (10)

http://comments.gmane.org/gmane.comp.security.oss.general/11986

Source: cve@mitre.org

http://lists.opensuse.org/opensuse-updates/2014-02/msg00085.html

Source: cve@mitre.org

http://secunia.com/advisories/57209

Source: cve@mitre.org

http://www.logilab.org/ticket/207561

Source: cve@mitre.org

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737051

Source: cve@mitre.org

http://comments.gmane.org/gmane.comp.security.oss.general/11986