Some temporary file issues were reported by Jakub Wilk (quoting from our bug report): In logilab/common/pdf_ext.py it uses fully predictable names: def extract_keys_from_pdf(filename): # what about using 'pdftk filename dump_data_fields' and parsing the output ? os.system('pdftk %s generate_fdf output /tmp/toto.fdf' % filename) lines = file('/tmp/toto.fdf').readlines() return extract_keys(lines) def fill_pdf(infile, outfile, fields): write_fields(file('/tmp/toto.fdf', 'w'), fields) os.system('pdftk %s fill_form /tmp/toto.fdf output %s flatten' % (infile, outfile)) And in logilab/common/shellutils.py: class Execute: """This is a deadlock safe version of popen2 (no stdin), that returns an object with errorlevel, out and err. """ def __init__(self, command): outfile = tempfile.mktemp() errfile = tempfile.mktemp() self.status = os.system("( %s ) >%s 2>%s" % (command, outfile, errfile)) >> 8 self.out = open(outfile, "r").read() self.err = open(errfile, "r").read() os.remove(outfile) os.remove(errfile) tempfile.mktemp() should be replaced with tempfile.mkstemp() as it is documented as insecure. I don't believe a CVE has been requested for this already. Can one be assigned please? References: https://bugzilla.redhat.com/show_bug.cgi?id=1060304 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737051 https://bugs.gentoo.org/show_bug.cgi?id=499872 http://secunia.com/advisories/56720/ -- Vincent Danen / Red Hat Security Response Team