Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Fri, 18 Jul 2014 22:40:38 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com, cve-assign@...re.org
Subject: Good news and bad news on Python sockets and pickle

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

So first the good news, I looked at the top projects on pypi
(arbitrarily defined as more than 1000 downloads in the last month for
at least one version), so for the most recent version of these that
meant about 8,072 packages.

I looked for cases where pickle.loads is used on untrusted data, the
good news is didn't find many, the main two uses cases were taking
data from zeroMQ and memcached and then unpickling it, looks like
those would be compromised in any event if malicious data got in
there, let alone RCE type stuff.

However having said that we do have this one in the past:

CVE-2012-4406	OpenStack Object Storage (swift) before 1.7.0 uses the
loads function in the pickle Python module unsafely when storing and
loading metadata in memcached, which allows remote attackers to
execute arbitrary code via a crafted pickle object.

So here is my question, is all pickle.loads from things like memcached
(which has no auth) generally CVE worthy? If so I can post a list of
the potentials, I'll be honest, I'm to lazy to go digging through it
(I'm not sure how many uses shared/public memcached configs/etc.).

- -- 
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJTyfbGAAoJEBYNRVNeJnmTYokQAMgZvPbYFaCU7IBV5Dxl4yD9
A92UDWFsHhzvvNkJWOFmrsWJ+2HN1QvL7IvucLpIuVhETAA97ZJW1257bx5eZWR5
ABY6wbUd8fmtyunTdNIxBiNpDYA7Lwxo0PD6EZqjBpzB+pzIbfojecfzQReOFyO6
SgLoc4fRPnvBk2pD/F0FfgNRY0Vk2b7JbZgj+enIqC3U2Ug921Ej5d4DmAcBe5oN
Sn7WCAmbG0p6l3TKh4n3T5GAELO1BeWAN8aOO//4eE2uuTGesPkD+F5299nGRCzS
Ff6NeuHvS+aIR5XzeksXXhhy1Sv8/RAWoWt9jQoQirSx8BijW2NQbx1vv09pA4XG
cxjkmhatCQtMIoI18fK2uIRHGPnQSi1tw/pB9YdMjFG+LKcs6VFwwLE3pCnGuARm
asIKgHSUqTlam2FpwuyiVzTtsj2sa7QokMhjJ53hFQL6UavVXNiTBf9cK+FLlUrI
Rz41bfkOomgkznLxsK/MzMjGWWPkX/xvazE8C+a+jh7WBfA2X+Wngzuw+nKja1X0
QUzbQ6RMLrTBKxni1cUXVh0eCed2v9ElTxXz/LrtC1uZNK4GP/vlTEHsOOqgJws8
XswAt9BM9MzC2orgjCNkgDSoP5lRIPPX5iVtqT6A1RBC2lSiHsNhm53wbM5fcIqp
BlVoPs+Cn2TjDth7uVsZ
=251x
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.