Date: Tue, 09 Sep 2014 16:26:26 +1000 From: David Jorm <djorm@...hat.com> To: oss-security@...ts.openwall.com Subject: Re: pinocchio tmp vuln On 09/09/2014 04:21 PM, Kurt Seifried wrote: > https://pypi.python.org/pypi/pinocchio/ > > pinocchio stopwatch --with-stopwatch Select tests based on execution time > > pinocchio-0.4.1/pinocchio/stopwatch.py > > def finalize(self, result): > """ > Save the recorded times, OR dump them into /tmp if the file > open fails. > """ > try: > fp = open(self.stopwatch_file, 'w') > except (IOError, OSError): > t = int(time.time()) > filename = '/tmp/nose-stopwatch-%s.pickle' % (t,) > > int(time.time) is easily guessed, create a few thousand and you're > covered for the next few hours and can stop anyone from using stopwatch, > or you can just blow away files as usual =). > > fp = open(filename, 'w') > log.warning('WARNING: stopwatch cannot write to "%s"' % > (self.stopwatch_file)) > log.warning('WARNING: stopwatch is using "%s" to save times' > % (filename,)) > > dump(self.times, fp) > fp.close() > > > > You're a troll :)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ