[Python-modules-team] Bug#737627: python-rply: still uses /tmp insecurely
Jakub Wilk
jwilk at debian.org
Tue Feb 4 12:14:24 UTC 2014
Source: python-rply
Version: 0.7.1-1
Severity: important
Tags: security
[I notified upstream about this problem on 2014-01-27 in a private
e-mail, but there was no reply so far; so I'm disclosing it now.]
rply still uses /tmp insecurely. Malicious local user can cause denial
of service via symlink or hardlink attacks.
Here's an example, using the same test code as in #735263:
$ id | cut -d' ' -f1
uid=1000(jwilk)
$ ls -l /tmp/rply*.json
lrwxr-xr-x 1 mallory root 12 Jan 27 22:08 /tmp/rply-1-1000-tinycalc-72306a09ee3b3fe5697e2d0114eb3ee132a6ff7a.json -> /dev/urandom
$ echo '6 * 7' | python3 tinycalc.py
[eats 100% CPU and gigabytes of RAM]
--
Jakub Wilk
More information about the Python-modules-team
mailing list