[Python-modules-team] Bug#735263: python-rply: insecure use of /tmp
Jakub Wilk
jwilk at debian.org
Tue Jan 14 09:17:11 UTC 2014
Source: python-rply
Version: 0.7.0-1
Severity: grave
Tags: security
Justification: user security hole
rply stores its cache files in /tmp. This is insecure, because /tmp is
world-writable, and the filenames rply uses are of course predicatable.
Proof of concept is attached. If you put the rply-*.json file in /tmp
and make it world-readable, then the tiny calculator's math will start
to be slightly off (even when run by a different user than the owner of
the cache file):
$ ls -l /tmp/rply-*.json
-rw-r--r-- 1 eve users 730 Jan 13 22:20 /tmp/rply-1-tinycalc-72306a09ee3b3fe5697e2d0114eb3ee132a6ff7a.json
$ whoami
jwilk
$ echo 69 - 37 - 10 | python3 tinycalc.py
69 - 37 - 10 = 42
--
Jakub Wilk
-------------- next part --------------
A non-text attachment was scrubbed...
Name: rply-1-tinycalc-72306a09ee3b3fe5697e2d0114eb3ee132a6ff7a.json
Type: application/json
Size: 730 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/python-modules-team/attachments/20140114/5f9eb442/attachment.json>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: tinycalc.py
Type: text/x-python
Size: 842 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/python-modules-team/attachments/20140114/5f9eb442/attachment.py>
More information about the Python-modules-team
mailing list