Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 500962 (CVE-2014-1938) - <dev-python/rply-0.7.3: Incomplete fix for CVE-2014-1604
Summary: <dev-python/rply-0.7.3: Incomplete fix for CVE-2014-1604
Alias: CVE-2014-1938
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B4 [noglsa]
Depends on:
Reported: 2014-02-11 08:50 UTC by Agostino Sarubbo
Modified: 2016-06-21 08:18 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-02-11 08:50:45 UTC
From ${URL} :

I notified upstream about this problem on 2014-01-27 in a private 
e-mail, but there was no reply so far; so I'm disclosing it now.]

rply still uses /tmp insecurely. Malicious local user can cause denial 
of service via symlink or hardlink attacks.

Here's an example, using the same test code as in #735263:

$ id | cut -d' ' -f1

$ ls -l /tmp/rply*.json
lrwxr-xr-x 1 mallory root 12 Jan 27 22:08 
/tmp/rply-1-1000-tinycalc-72306a09ee3b3fe5697e2d0114eb3ee132a6ff7a.json -> /dev/urandom

$ echo '6 * 7' | python3
[eats 100% CPU and gigabytes of RAM]

@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-06-21 08:18:39 UTC
The parser cache functionality in in RPLY (aka python-rply) before 0.7.1 allows local users to spoof cache data by pre-creating a temporary rply-*.json file with a predictable name.

GLSA Vote: No