From ${URL} : It was reported [1],[2] that the Python XDG module (pyxdg) suffered from a TOCTOU race condition when the xdg.BaseDirectory.get_runtime_dir() function is called with the strict setting set to False (the default is True). When the strict setting is set to True, the directory pointed to by the $XDG_RUNTIME_DIR is used (and returned). However, if $XDG_RUNTIME_DIR is unset, it will attempt to use the /tmp/pyxdg-runtime-dir-fallback-[username] directory. A local attacker could use this to conduct symbolic link attacks, possibly leading to their ability to modify permissions or security context of a path different than that originally intended or requested. This flaw only affects pyxdg 0.25 as the ability to use the $XDG_RUNTIME_DIR (and thus the introduction of this function) was first introduced there based on this Debian request [3]. No patch is yet available and discussion on the fix is taking place in the upstream bug tracker [4]. [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=736247 [2] http://www.openwall.com/lists/oss-security/2014/01/21/3 [3] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=656338 [4] https://bugs.freedesktop.org/show_bug.cgi?id=73878 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Fix committed here: https://github.com/takluyver/pyxdg/commit/bd999c1c3fe7ee5f30ede2cf704cf03e400347b4
CVE-2014-1624 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1624): Race condition in the xdg.BaseDirectory.get_runtime_dir function in python-xdg 0.25 allows local users to overwrite arbitrary files by pre-creating /tmp/pyxdg-runtime-dir-fallback-victim to point to a victim-owned location, then replacing it with a symlink to an attacker-controlled location once the get_runtime_dir function is called.
*pyxdg-0.25-r1 (26 Mar 2014) 26 Mar 2014; Ian Delaney <idella4@gentoo.org> +files/sec-patch-CVE-2014-1624.patch, +pyxdg-0.25-r1.ebuild, -pyxdg-0.23.ebuild, -pyxdg-0.24.ebuild: add sec patch wrt Bug #498934, rm old
Please stabilize. =dev-python/pyxdg-0.25-r1
Stable for HPPA.
amd64 stable
x86 stable
Are we to ignore bug 471984?
Sicne the mentioned bug is also present in the current stable, I stabilized -r1 on alpha.
(In reply to Tobias Klausmann from comment #9) > Sicne the mentioned bug is also present in the current stable, I stabilized > -r1 on alpha. Also, test failures does not block security bugs..
ppc stable
ppc64 stable
ia64 stable
sparc stable
arm stable, all arches done.
GLSA Vote: No
GLSA Vote: No Maintainer(s), please drop the vulnerable version.
Maintainer(s), it has been 30 days since request for cleanup. Please drop the vulnerable versions.
+ 07 Jan 2015; Mike Gilbert <floppym@gentoo.org> -pyxdg-0.25.ebuild: + Remove old.
Maintainer(s), Thank you for cleanup! Closing noglsa.
