| Summary: | <dev-python/pyxdg-0.25-r1: TOCTOU race condition in get_runtime_dir() when strict=False (CVE-2014-1624) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | minor | CC: | python |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://bugzilla.redhat.com/show_bug.cgi?id=1056338 | ||
| Whiteboard: | B4 [noglsa] | ||
| Package list: | Runtime testing required: | --- | |
Fix committed here: https://github.com/takluyver/pyxdg/commit/bd999c1c3fe7ee5f30ede2cf704cf03e400347b4 CVE-2014-1624 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1624): Race condition in the xdg.BaseDirectory.get_runtime_dir function in python-xdg 0.25 allows local users to overwrite arbitrary files by pre-creating /tmp/pyxdg-runtime-dir-fallback-victim to point to a victim-owned location, then replacing it with a symlink to an attacker-controlled location once the get_runtime_dir function is called. *pyxdg-0.25-r1 (26 Mar 2014) 26 Mar 2014; Ian Delaney <idella4@gentoo.org> +files/sec-patch-CVE-2014-1624.patch, +pyxdg-0.25-r1.ebuild, -pyxdg-0.23.ebuild, -pyxdg-0.24.ebuild: add sec patch wrt Bug #498934, rm old Please stabilize. =dev-python/pyxdg-0.25-r1 Stable for HPPA. amd64 stable x86 stable Are we to ignore bug 471984? Sicne the mentioned bug is also present in the current stable, I stabilized -r1 on alpha. (In reply to Tobias Klausmann from comment #9) > Sicne the mentioned bug is also present in the current stable, I stabilized > -r1 on alpha. Also, test failures does not block security bugs.. ppc stable ppc64 stable ia64 stable sparc stable arm stable, all arches done. GLSA Vote: No GLSA Vote: No Maintainer(s), please drop the vulnerable version. Maintainer(s), it has been 30 days since request for cleanup. Please drop the vulnerable versions. + 07 Jan 2015; Mike Gilbert <floppym@gentoo.org> -pyxdg-0.25.ebuild: + Remove old. Maintainer(s), Thank you for cleanup! Closing noglsa. |
From ${URL} : It was reported [1],[2] that the Python XDG module (pyxdg) suffered from a TOCTOU race condition when the xdg.BaseDirectory.get_runtime_dir() function is called with the strict setting set to False (the default is True). When the strict setting is set to True, the directory pointed to by the $XDG_RUNTIME_DIR is used (and returned). However, if $XDG_RUNTIME_DIR is unset, it will attempt to use the /tmp/pyxdg-runtime-dir-fallback-[username] directory. A local attacker could use this to conduct symbolic link attacks, possibly leading to their ability to modify permissions or security context of a path different than that originally intended or requested. This flaw only affects pyxdg 0.25 as the ability to use the $XDG_RUNTIME_DIR (and thus the introduction of this function) was first introduced there based on this Debian request [3]. No patch is yet available and discussion on the fix is taking place in the upstream bug tracker [4]. [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=736247 [2] http://www.openwall.com/lists/oss-security/2014/01/21/3 [3] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=656338 [4] https://bugs.freedesktop.org/show_bug.cgi?id=73878 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.