| Summary: | <dev-python/rply-0.7.3: Incomplete fix for CVE-2014-1604 | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | minor | CC: | python |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737627 | ||
| Whiteboard: | B4 [noglsa] | ||
| Package list: | Runtime testing required: | --- | |
The parser cache functionality in parsergenerator.py in RPLY (aka python-rply) before 0.7.1 allows local users to spoof cache data by pre-creating a temporary rply-*.json file with a predictable name. GLSA Vote: No |
From ${URL} : I notified upstream about this problem on 2014-01-27 in a private e-mail, but there was no reply so far; so I'm disclosing it now.] rply still uses /tmp insecurely. Malicious local user can cause denial of service via symlink or hardlink attacks. Here's an example, using the same test code as in #735263: $ id | cut -d' ' -f1 uid=1000(jwilk) $ ls -l /tmp/rply*.json lrwxr-xr-x 1 mallory root 12 Jan 27 22:08 /tmp/rply-1-1000-tinycalc-72306a09ee3b3fe5697e2d0114eb3ee132a6ff7a.json -> /dev/urandom $ echo '6 * 7' | python3 tinycalc.py [eats 100% CPU and gigabytes of RAM] @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.