oss-sec mailing list archives

Fwd: [Python-modules-team] Bug#735263: python-rply: insecure use of /tmp

From: Daniel Kahn Gillmor <dkg () fifthhorseman net>
Date: Tue, 14 Jan 2014 08:48:19 -0500

in http://bugs.debian.org/735263, Jakub Wilk reports an insecure
tempfile usage in rply.

upstream homepage:
 https://github.com/alex/rply

original bug report is attached below.

Regards,

        --dkg

--- Begin Message --- From: Jakub Wilk <jwilk () debian org>
Date: Tue, 14 Jan 2014 10:17:11 +0100
Source: python-rply
Version: 0.7.0-1
Severity: grave
Tags: security
Justification: user security hole
rply stores its cache files in /tmp. This is insecure, because /tmp isworld-writable, and the filenames rply uses are of course predicatable.
Proof of concept is attached. If you put the rply-*.json file in /tmpand make it world-readable, then the tiny calculator's math will startto be slightly off (even when run by a different user than the owner ofthe cache file):
$ ls -l /tmp/rply-*.json
-rw-r--r-- 1 eve users 730 Jan 13 22:20 /tmp/rply-1-tinycalc-72306a09ee3b3fe5697e2d0114eb3ee132a6ff7a.json

$ whoami
jwilk

$ echo 69 - 37 - 10 | python3 tinycalc.py
69 - 37 - 10 = 42

--
Jakub Wilk
Attachment: rply-1-tinycalc-72306a09ee3b3fe5697e2d0114eb3ee132a6ff7a.json
Description:

Attachment: tinycalc.py
Description:
_______________________________________________
Python-modules-team mailing list
Python-modules-team () lists alioth debian org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/python-modules-team
--- End Message ---

Attachment: signature.asc
Description: OpenPGP digital signature

Current thread:

Fwd: [Python-modules-team] Bug#735263: python-rply: insecure use of /tmp Daniel Kahn Gillmor (Jan 17)
- Re: Fwd: [Python-modules-team] Bug#735263: python-rply: insecure use of /tmp cve-assign (Jan 17)