Date: Fri, 18 Jul 2014 22:40:38 -0600 From: Kurt Seifried <kseifried@...hat.com> To: oss-security@...ts.openwall.com, cve-assign@...re.org Subject: Good news and bad news on Python sockets and pickle -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 So first the good news, I looked at the top projects on pypi (arbitrarily defined as more than 1000 downloads in the last month for at least one version), so for the most recent version of these that meant about 8,072 packages. I looked for cases where pickle.loads is used on untrusted data, the good news is didn't find many, the main two uses cases were taking data from zeroMQ and memcached and then unpickling it, looks like those would be compromised in any event if malicious data got in there, let alone RCE type stuff. However having said that we do have this one in the past: CVE-2012-4406 OpenStack Object Storage (swift) before 1.7.0 uses the loads function in the pickle Python module unsafely when storing and loading metadata in memcached, which allows remote attackers to execute arbitrary code via a crafted pickle object. So here is my question, is all pickle.loads from things like memcached (which has no auth) generally CVE worthy? If so I can post a list of the potentials, I'll be honest, I'm to lazy to go digging through it (I'm not sure how many uses shared/public memcached configs/etc.). - -- Kurt Seifried -- Red Hat -- Product Security -- Cloud PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJTyfbGAAoJEBYNRVNeJnmTYokQAMgZvPbYFaCU7IBV5Dxl4yD9 A92UDWFsHhzvvNkJWOFmrsWJ+2HN1QvL7IvucLpIuVhETAA97ZJW1257bx5eZWR5 ABY6wbUd8fmtyunTdNIxBiNpDYA7Lwxo0PD6EZqjBpzB+pzIbfojecfzQReOFyO6 SgLoc4fRPnvBk2pD/F0FfgNRY0Vk2b7JbZgj+enIqC3U2Ug921Ej5d4DmAcBe5oN Sn7WCAmbG0p6l3TKh4n3T5GAELO1BeWAN8aOO//4eE2uuTGesPkD+F5299nGRCzS Ff6NeuHvS+aIR5XzeksXXhhy1Sv8/RAWoWt9jQoQirSx8BijW2NQbx1vv09pA4XG cxjkmhatCQtMIoI18fK2uIRHGPnQSi1tw/pB9YdMjFG+LKcs6VFwwLE3pCnGuARm asIKgHSUqTlam2FpwuyiVzTtsj2sa7QokMhjJ53hFQL6UavVXNiTBf9cK+FLlUrI Rz41bfkOomgkznLxsK/MzMjGWWPkX/xvazE8C+a+jh7WBfA2X+Wngzuw+nKja1X0 QUzbQ6RMLrTBKxni1cUXVh0eCed2v9ElTxXz/LrtC1uZNK4GP/vlTEHsOOqgJws8 XswAt9BM9MzC2orgjCNkgDSoP5lRIPPX5iVtqT6A1RBC2lSiHsNhm53wbM5fcIqp BlVoPs+Cn2TjDth7uVsZ =251x -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ