oss-sec mailing list archives
Fwd: [Python-modules-team] Bug#735263: python-rply: insecure use of /tmp
From: Daniel Kahn Gillmor <dkg () fifthhorseman net>
Date: Tue, 14 Jan 2014 08:48:19 -0500
in http://bugs.debian.org/735263, Jakub Wilk reports an insecure tempfile usage in rply. upstream homepage: https://github.com/alex/rply original bug report is attached below. Regards, --dkg
--- Begin Message --- From: Jakub Wilk <jwilk () debian org>
Date: Tue, 14 Jan 2014 10:17:11 +0100
Source: python-rply Version: 0.7.0-1 Severity: grave Tags: security Justification: user security holerply stores its cache files in /tmp. This is insecure, because /tmp is world-writable, and the filenames rply uses are of course predicatable.Proof of concept is attached. If you put the rply-*.json file in /tmp and make it world-readable, then the tiny calculator's math will start to be slightly off (even when run by a different user than the owner of the cache file):$ ls -l /tmp/rply-*.json -rw-r--r-- 1 eve users 730 Jan 13 22:20 /tmp/rply-1-tinycalc-72306a09ee3b3fe5697e2d0114eb3ee132a6ff7a.json $ whoami jwilk $ echo 69 - 37 - 10 | python3 tinycalc.py 69 - 37 - 10 = 42 -- Jakub WilkAttachment: rply-1-tinycalc-72306a09ee3b3fe5697e2d0114eb3ee132a6ff7a.json
Description:Attachment: tinycalc.py
Description:_______________________________________________ Python-modules-team mailing list Python-modules-team () lists alioth debian org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/python-modules-team
--- End Message ---
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- Fwd: [Python-modules-team] Bug#735263: python-rply: insecure use of /tmp Daniel Kahn Gillmor (Jan 17)
- Re: Fwd: [Python-modules-team] Bug#735263: python-rply: insecure use of /tmp cve-assign (Jan 17)