Date: Sat, 19 Jul 2014 10:00:47 +0400 From: gremlin@...mlin.ru To: oss-security@...ts.openwall.com Subject: Re: Good news and bad news on Python sockets and pickle On 18-Jul-2014 22:40:38 -0600, Kurt Seifried wrote: > I looked for cases where pickle.loads is used on untrusted data, > the good news is didn't find many, the main two uses cases were > taking data from zeroMQ and memcached and then unpickling it, > looks like those would be compromised in any event if malicious > data got in there, let alone RCE type stuff. > [...] > So here is my question, is all pickle.loads from things like > memcached (which has no auth) generally CVE worthy? If so I can > post a list of the potentials, I'll be honest, I'm to lazy to > go digging through it (I'm not sure how many uses shared/public > memcached configs/etc.). All these issues aren't related to pickle.loads - they are just the ordinary use of untrusted data (which itself may worth a CVE). -- Alexey V. Vissarionov aka Gremlin from Kremlin <gremlin ðòé gremlin ôþë ru> GPG: 8832FE9FA791F7968AC96E4E909DAC45EF3B1FA8 @ hkp://keys.gnupg.net
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ