Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 19 Jul 2014 10:00:47 +0400
Subject: Re: Good news and bad news on Python sockets and pickle

On 18-Jul-2014 22:40:38 -0600, Kurt Seifried wrote:

 > I looked for cases where pickle.loads is used on untrusted data,
 > the good news is didn't find many, the main two uses cases were
 > taking data from zeroMQ and memcached and then unpickling it,
 > looks like those would be compromised in any event if malicious
 > data got in there, let alone RCE type stuff.
 > [...]
 > So here is my question, is all pickle.loads from things like
 > memcached (which has no auth) generally CVE worthy? If so I can
 > post a list of the potentials, I'll be honest, I'm to lazy to
 > go digging through it (I'm not sure how many uses shared/public
 > memcached configs/etc.).

All these issues aren't related to pickle.loads - they are just the
ordinary use of untrusted data (which itself may worth a CVE).

Alexey V. Vissarionov aka Gremlin from Kremlin <gremlin ПРИ gremlin ТЧК ru>
GPG: 8832FE9FA791F7968AC96E4E909DAC45EF3B1FA8 @ hkp://

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.