Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 19 Jul 2014 09:32:46 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
Subject: Re: Good news and bad news on Python sockets and pickle

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



On 19/07/14 12:00 AM, gremlin@...mlin.ru wrote:
> On 18-Jul-2014 22:40:38 -0600, Kurt Seifried wrote:
> 
>> I looked for cases where pickle.loads is used on untrusted data, 
>> the good news is didn't find many, the main two uses cases were 
>> taking data from zeroMQ and memcached and then unpickling it, 
>> looks like those would be compromised in any event if malicious 
>> data got in there, let alone RCE type stuff. [...] So here is my
>> question, is all pickle.loads from things like memcached (which
>> has no auth) generally CVE worthy? If so I can post a list of the
>> potentials, I'll be honest, I'm to lazy to go digging through it
>> (I'm not sure how many uses shared/public memcached
>> configs/etc.).
> 
> All these issues aren't related to pickle.loads - they are just
> the ordinary use of untrusted data (which itself may worth a CVE).

Uhmm yes and no, it's one thing to pull some data out of memcached and
use it for something, it's another to do so in a way that essentially
executes it.

- -- 
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIbBAEBAgAGBQJTyo+eAAoJEBYNRVNeJnmTM/YP+O+LZzbOxVirdgmKdaV0owyV
R2bLrNQhJWajoGdmhcxSyraleIuZaTkO7qc/dcSDGzUlrP5UIcIff7tmx5FeG1ZN
juOJF/bkcvCFA3pQjdNhUHThYfr1qaRuKNGh8lr7dqCEybKXQLy1BheUccEQ4KgX
aq0r+Eo4a7fHYp9vckG3sPwmhOfxzWKMACiJQrn6LEVrApvUF4DyIcQn0qlhQpgN
UKbIOPyEJ3E2JVCbeXbC3a5flnjWUdlai6th+F72TmugMKSp7CfDOUCmCeiJNLy9
ANAYiJCdd+aiBGy3VvCVfUoZ6fMs1gY1JnX02aGnCFWcAunTJUiiIfrfZtYE9wco
jq9WVjhxsvwgqGRawvQJujGH3Irs3/I+vSrz1ZNxo+gY/PWgLuJTrmyeJ5X2Xx7f
Gn3MAnRz7dep5wDUtsgn4uLwuWjNae08EVR7pjCkewdL4Z7r2J3NBX2hqiYPKqoL
7Ij0ZZ48I5zKTtUkjPusG1U2rI+PctRXkYVdqgM3d5buRca5C1cUXoTGeb0/jQGv
0xdp4cREk2dZ4rxNxy7hh8LGZgI39DPFCDqhydORYYsuj606LkGY7W1yv2Qy9WWt
QXSLkgiwbqnxpjq/GFXUmgMII5I/68iGdSlUXXgGB+Vu7q03jWFeGNvrvPd4EsGo
KVi0u2VDUmcc6VmWlOc=
=7d1y
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ