Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 19 Jul 2014 10:00:47 +0400
Subject: Re: Good news and bad news on Python sockets and pickle

On 18-Jul-2014 22:40:38 -0600, Kurt Seifried wrote:

 > I looked for cases where pickle.loads is used on untrusted data,
 > the good news is didn't find many, the main two uses cases were
 > taking data from zeroMQ and memcached and then unpickling it,
 > looks like those would be compromised in any event if malicious
 > data got in there, let alone RCE type stuff.
 > [...]
 > So here is my question, is all pickle.loads from things like
 > memcached (which has no auth) generally CVE worthy? If so I can
 > post a list of the potentials, I'll be honest, I'm to lazy to
 > go digging through it (I'm not sure how many uses shared/public
 > memcached configs/etc.).

All these issues aren't related to pickle.loads - they are just the
ordinary use of untrusted data (which itself may worth a CVE).

Alexey V. Vissarionov aka Gremlin from Kremlin <gremlin ПРИ gremlin ТЧК ru>
GPG: 8832FE9FA791F7968AC96E4E909DAC45EF3B1FA8 @ hkp://

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ