oss-security - Re: Fwd: [Python-modules-team] Bug#736247: python-xdg: get_runtime

Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers

[<prev] [next>] [<thread-prev] [day] [month] [year] [list]

Date: Tue, 21 Jan 2014 13:08:21 -0500 (EST)
From: cve-assign@...re.org
To: dkg@...thhorseman.net
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com,
        736247@...s.debian.org
Subject: Re: Fwd: [Python-modules-team] Bug#736247: python-xdg: get_runtime_dir(strict=False): insecure use of /tmp

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> as reported by Jakub Wilk in http://bugs.debian.org/736247, there is a
> TOCTOU failure in python's xdg module
> 
> 1) Create symlink /tmp/pyxdg-runtime-dir-fallback-victim, pointing to a 
> directory owned by the victim

Use CVE-2014-1624.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJS3rYbAAoJEKllVAevmvmsstgH/0w3D687UMenhRZvTHdoPWwi
nk1vTE9SGraAUIe24g0VbdqI3vVUuMN1XqQnljFr2fkCWvhw2c2KCXg99TIcCmLo
wlqRIAf37dCgHXLyHjzlboNKZm+Mlrh57vis4VJIyrq8byW0jmgR9Dv+tACMeWkj
9Wkt1slsPiIMvFOjIZKjN8r8a85XbhpCQIrV4/uFMyOOarQHB9IT25YKNaldegFY
CylvlLM7mi4Ux1JU+ZIUMdwxQoSOtvq3OKYwbHNZoYMH5mGcwwgRN4/tTbuqxmOn
u8TYG3xqqVS4j2QuUG//LACrftlcJ0e/XtQTmSvJlVju/9bE2KD1U3ewrvUYHE0=
=9769
-----END PGP SIGNATURE-----

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.