Summary: | <dev-python/rply-0.7.1 : insecure use of /tmp (CVE-2014-1604) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | trivial | CC: | python |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.openwall.com/lists/oss-security/2014/01/17/8 | ||
Whiteboard: | ~4 [ebuild] | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
2014-01-19 11:39:28 UTC
Found in version python-rply/0.7.0-1 Fixed in version python-rply/0.7.1-1 grief 0.7.0 was NEVER even in portage. *rply-0.7.2 (14 Feb 2014) 14 Feb 2014; Patrick Lauer <patrick@gentoo.org> +rply-0.7.2.ebuild: Bump && 28 Mar 2014; Ian Delaney <idella4@gentoo.org> -rply-0.5.1.ebuild: rm old rply-0.5.1 wrt to sec. Bug #498538 CVE-2014-1604 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1604): The parser cache functionality in parsergenerator.py in RPLY (aka python-rply) before 0.7.1 allows local users to spoof cache data by pre-creating a temporary rply-*.json file with a predictable name. Fixed in https://github.com/alex/rply/commit/fc9bbcd25b0b4f09bbd6339f710ad24c129d5d7c and >0.7.1 No stable version available @security: Please resolve as fixed. all vulnerable versions removed. original package versions were unstable so no GLSA required |