Source: python-rply Version: 0.7.1-1 Severity: important Tags: security
[I notified upstream about this problem on 2014-01-27 in a private e-mail, but there was no reply so far; so I'm disclosing it now.]
rply still uses /tmp insecurely. Malicious local user can cause denial of service via symlink or hardlink attacks.
Here's an example, using the same test code as in #735263: $ id | cut -d' ' -f1 uid=1000(jwilk) $ ls -l /tmp/rply*.json lrwxr-xr-x 1 mallory root 12 Jan 27 22:08 /tmp/rply-1-1000-tinycalc-72306a09ee3b3fe5697e2d0114eb3ee132a6ff7a.json -> /dev/urandom $ echo '6 * 7' | python3 tinycalc.py [eats 100% CPU and gigabytes of RAM] -- Jakub Wilk _______________________________________________ Python-modules-team mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/python-modules-team
