From ${URL} : I notified upstream about this problem on 2014-01-27 in a private e-mail, but there was no reply so far; so I'm disclosing it now.] rply still uses /tmp insecurely. Malicious local user can cause denial of service via symlink or hardlink attacks. Here's an example, using the same test code as in #735263: $ id | cut -d' ' -f1 uid=1000(jwilk) $ ls -l /tmp/rply*.json lrwxr-xr-x 1 mallory root 12 Jan 27 22:08 /tmp/rply-1-1000-tinycalc-72306a09ee3b3fe5697e2d0114eb3ee132a6ff7a.json -> /dev/urandom $ echo '6 * 7' | python3 tinycalc.py [eats 100% CPU and gigabytes of RAM] @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
The parser cache functionality in parsergenerator.py in RPLY (aka python-rply) before 0.7.1 allows local users to spoof cache data by pre-creating a temporary rply-*.json file with a predictable name. GLSA Vote: No
