Date: Sat, 19 Jul 2014 09:32:46 -0600 From: Kurt Seifried <kseifried@...hat.com> To: oss-security@...ts.openwall.com Subject: Re: Good news and bad news on Python sockets and pickle -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 19/07/14 12:00 AM, gremlin@...mlin.ru wrote: > On 18-Jul-2014 22:40:38 -0600, Kurt Seifried wrote: > >> I looked for cases where pickle.loads is used on untrusted data, >> the good news is didn't find many, the main two uses cases were >> taking data from zeroMQ and memcached and then unpickling it, >> looks like those would be compromised in any event if malicious >> data got in there, let alone RCE type stuff. [...] So here is my >> question, is all pickle.loads from things like memcached (which >> has no auth) generally CVE worthy? If so I can post a list of the >> potentials, I'll be honest, I'm to lazy to go digging through it >> (I'm not sure how many uses shared/public memcached >> configs/etc.). > > All these issues aren't related to pickle.loads - they are just > the ordinary use of untrusted data (which itself may worth a CVE). Uhmm yes and no, it's one thing to pull some data out of memcached and use it for something, it's another to do so in a way that essentially executes it. - -- Kurt Seifried -- Red Hat -- Product Security -- Cloud PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIbBAEBAgAGBQJTyo+eAAoJEBYNRVNeJnmTM/YP+O+LZzbOxVirdgmKdaV0owyV R2bLrNQhJWajoGdmhcxSyraleIuZaTkO7qc/dcSDGzUlrP5UIcIff7tmx5FeG1ZN juOJF/bkcvCFA3pQjdNhUHThYfr1qaRuKNGh8lr7dqCEybKXQLy1BheUccEQ4KgX aq0r+Eo4a7fHYp9vckG3sPwmhOfxzWKMACiJQrn6LEVrApvUF4DyIcQn0qlhQpgN UKbIOPyEJ3E2JVCbeXbC3a5flnjWUdlai6th+F72TmugMKSp7CfDOUCmCeiJNLy9 ANAYiJCdd+aiBGy3VvCVfUoZ6fMs1gY1JnX02aGnCFWcAunTJUiiIfrfZtYE9wco jq9WVjhxsvwgqGRawvQJujGH3Irs3/I+vSrz1ZNxo+gY/PWgLuJTrmyeJ5X2Xx7f Gn3MAnRz7dep5wDUtsgn4uLwuWjNae08EVR7pjCkewdL4Z7r2J3NBX2hqiYPKqoL 7Ij0ZZ48I5zKTtUkjPusG1U2rI+PctRXkYVdqgM3d5buRca5C1cUXoTGeb0/jQGv 0xdp4cREk2dZ4rxNxy7hh8LGZgI39DPFCDqhydORYYsuj606LkGY7W1yv2Qy9WWt QXSLkgiwbqnxpjq/GFXUmgMII5I/68iGdSlUXXgGB+Vu7q03jWFeGNvrvPd4EsGo KVi0u2VDUmcc6VmWlOc= =7d1y -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ