Debian Bug report logs -
#736247
python-xdg: get_runtime_dir(strict=False): insecure use of /tmp (CVE-2014-1624)
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, jwilk@debian.org, Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>:
Bug#736247; Package python-xdg.
(Tue, 21 Jan 2014 13:48:06 GMT) (full text, mbox, link).
Message #3 received at submit@bugs.debian.org (full text, mbox, reply):
Package: python-xdg
Version: 0.25-3
Severity: important
Tags: security
xdg.BaseDirectory.get_runtime_dir(strict=False) is prone to symlink
attacks. A malicious local user could do the following:
1) Create symlink /tmp/pyxdg-runtime-dir-fallback-victim, pointing to a
directory owned by the victim, say /home/victim.
2) Wait until the victim calls get_runtime_dir(strict=False), which
succeeds and returns "/tmp/pyxdg-runtime-dir-fallback-victim".
3) Switch the symlink to point to a directory of their choice.
--
Jakub Wilk
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>:
Bug#736247; Package python-xdg.
(Tue, 21 Jan 2014 14:33:16 GMT) (full text, mbox, link).
Acknowledgement sent
to Daniel Kahn Gillmor <dkg@fifthhorseman.net>:
Extra info received and forwarded to list. Copy sent to Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>.
(Tue, 21 Jan 2014 14:33:16 GMT) (full text, mbox, link).
Message #8 received at 736247@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
as reported by Jakub Wilk in http://bugs.debian.org/736247, there is a
TOCTOU failure in python's xdg module (see attached message).
Could a CVE be assigned to this?
--dkg
[[Python-modules-team] Bug#736247: python-xdg: get_runtime_dir(strict=False): insecure use of /tmp.eml (message/rfc822, inline)]
Package: python-xdg
Version: 0.25-3
Severity: important
Tags: security
xdg.BaseDirectory.get_runtime_dir(strict=False) is prone to symlink
attacks. A malicious local user could do the following:
1) Create symlink /tmp/pyxdg-runtime-dir-fallback-victim, pointing to a
directory owned by the victim, say /home/victim.
2) Wait until the victim calls get_runtime_dir(strict=False), which
succeeds and returns "/tmp/pyxdg-runtime-dir-fallback-victim".
3) Switch the symlink to point to a directory of their choice.
--
Jakub Wilk
_______________________________________________
Python-modules-team mailing list
Python-modules-team@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/python-modules-team
[signature.asc (application/pgp-signature, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>:
Bug#736247; Package python-xdg.
(Tue, 21 Jan 2014 18:21:04 GMT) (full text, mbox, link).
Acknowledgement sent
to cve-assign@mitre.org:
Extra info received and forwarded to list. Copy sent to Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>.
(Tue, 21 Jan 2014 18:21:04 GMT) (full text, mbox, link).
Message #15 received at 736247@bugs.debian.org (full text, mbox, reply):
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
> as reported by Jakub Wilk in http://bugs.debian.org/736247, there is a
> TOCTOU failure in python's xdg module
>
> 1) Create symlink /tmp/pyxdg-runtime-dir-fallback-victim, pointing to a
> directory owned by the victim
Use CVE-2014-1624.
- --
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)
iQEcBAEBAgAGBQJS3rYbAAoJEKllVAevmvmsstgH/0w3D687UMenhRZvTHdoPWwi
nk1vTE9SGraAUIe24g0VbdqI3vVUuMN1XqQnljFr2fkCWvhw2c2KCXg99TIcCmLo
wlqRIAf37dCgHXLyHjzlboNKZm+Mlrh57vis4VJIyrq8byW0jmgR9Dv+tACMeWkj
9Wkt1slsPiIMvFOjIZKjN8r8a85XbhpCQIrV4/uFMyOOarQHB9IT25YKNaldegFY
CylvlLM7mi4Ux1JU+ZIUMdwxQoSOtvq3OKYwbHNZoYMH5mGcwwgRN4/tTbuqxmOn
u8TYG3xqqVS4j2QuUG//LACrftlcJ0e/XtQTmSvJlVju/9bE2KD1U3ewrvUYHE0=
=9769
-----END PGP SIGNATURE-----
Changed Bug title to 'python-xdg: get_runtime_dir(strict=False): insecure use of /tmp (CVE-2014-1624)' from 'python-xdg: get_runtime_dir(strict=False): insecure use of /tmp'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 21 Jan 2014 20:03:08 GMT) (full text, mbox, link).
Added tag(s) fixed-upstream.
Request was from bts-link-upstream@lists.alioth.debian.org
to control@bugs.debian.org.
(Mon, 27 Jan 2014 17:39:18 GMT) (full text, mbox, link).
Added tag(s) pending.
Request was from asb@users.alioth.debian.org
to control@bugs.debian.org.
(Mon, 27 Jan 2014 18:06:11 GMT) (full text, mbox, link).
Reply sent
to Andrew Starr-Bochicchio <asb@debian.org>:
You have taken responsibility.
(Mon, 27 Jan 2014 18:48:09 GMT) (full text, mbox, link).
Notification sent
to Jakub Wilk <jwilk@debian.org>:
Bug acknowledged by developer.
(Mon, 27 Jan 2014 18:48:09 GMT) (full text, mbox, link).
Message #26 received at 736247-close@bugs.debian.org (full text, mbox, reply):
Source: pyxdg
Source-Version: 0.25-4
We believe that the bug you reported is fixed in the latest version of
pyxdg, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 736247@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Andrew Starr-Bochicchio <asb@debian.org> (supplier of updated pyxdg package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 27 Jan 2014 13:11:18 -0500
Source: pyxdg
Binary: python-xdg python3-xdg
Architecture: source all
Version: 0.25-4
Distribution: unstable
Urgency: high
Maintainer: Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>
Changed-By: Andrew Starr-Bochicchio <asb@debian.org>
Description:
python-xdg - Python 2 library to access freedesktop.org standards
python3-xdg - Python 3 library to access freedesktop.org standards
Closes: 736247
Changes:
pyxdg (0.25-4) unstable; urgency=high
.
* Backport upstream patch that fixes the insecure use
of /tmp in xdg.BaseDirectory.get_runtime_dir(strict=False)
(Closes: #736247). Fixes CVE-2014-1624.
* Bump Standards-Version to 3.9.5, no changes needed.
Checksums-Sha1:
deb47c02ca8ac2492e5acd46ede34e771d2650bb 2158 pyxdg_0.25-4.dsc
89dbb325febd1eeb6ca8dcb604546e433882c093 7540 pyxdg_0.25-4.debian.tar.xz
78ca5512a75cb0a8dd87ad8a0c358209eb1c3a96 35830 python-xdg_0.25-4_all.deb
928cf1f896d07ab64f4121ede4cbb8c2f8f498e3 35704 python3-xdg_0.25-4_all.deb
Checksums-Sha256:
48d2f0d114f4301553e6f7d2e8d3a363bd3e87301b76a5b7da0b8b0e9ba81676 2158 pyxdg_0.25-4.dsc
9e5e910cfed45b24d84333822942c3a5cd7789edd7faa42d63e2a74c6362ae8a 7540 pyxdg_0.25-4.debian.tar.xz
bf411749871920adad44baef60e4473b7ea78f752d2b5a3c39fb4a4cf56b6428 35830 python-xdg_0.25-4_all.deb
a02a51a926db694dc1d13a219d0bb79895b0bd4121ebb72cc4a8f3a70386d248 35704 python3-xdg_0.25-4_all.deb
Files:
bce67d13c311d00c421d8902da253a9c 2158 python optional pyxdg_0.25-4.dsc
4aec393f4147f38ef6703cb7ea3537ee 7540 python optional pyxdg_0.25-4.debian.tar.xz
a3886d34a2f1476c78b1885a49dd27f2 35830 python optional python-xdg_0.25-4_all.deb
731ab56dffb234558a53b306ce3cad05 35704 python optional python3-xdg_0.25-4_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
iQIcBAEBCAAGBQJS5qMLAAoJEDtW4rvVP9yxbfUP/imZcUvAxZvtq4ky5vyxKcjd
fDinjL/kU0PtYXhQqFC+voa5+WdCGLAdomoq0n/j13zHjJbuQk641pL2jGM6UPgh
H2f0/GTgakT0UsrcYAABNXoUGhScKRqftdOjq7rRVDC7D1GBSLsxi1HwjQnU4Xy7
Pv/X60aZA+t8oB1qivzpTDsXeyMRqS9diBMtBol+plzz3Jlo6H57/X27JdTSBWWk
borIFH1IJQO+b2k41QYJdSTekbxTrEF3ZJcnrnrrEOejXb0Sn/OmVClGcNfBRHlO
+2rqIZgE34XMOSSiVZkzBWdBNKqm/gYTYnm2CDxNHoxPeUCx7Va5e/mI3aD7JCCB
idrJoHXADEVd/V0n6lgvawGnRYlU4fQHSc/9fmdBbame4uUBbTNVysDkW9DtmdfB
mnaVpaPVXUexFxykwealW8aqBgDSP4OeQ/lWF6Gna+rF6JdHPhFFdIy4m0LHh4DY
EqqOwEYwJsTMWznOeGNDDwqUGB4uBo5n8okVk4IJAeGGZpfaY3bRvyAf/39GpIyu
+QbMr/1n+1u4xJNn+96POq3pD2uWLGdnzOpEtUZEvUYPcvxdLBXkH9JQ7u/axa+n
cmkPOe8t1x2/rmSw7kTDp/40Y9gNEA4y6OJ08xMsvkEmgf0jMLQhOq9jq1Z3OSJS
QveQNzcYIuGfGezfoU4H
=AkMO
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Thu, 27 Feb 2014 07:29:12 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:32:19 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
From: Jakub Wilk <jwilk@debian.org>To: Debian Bug Tracking System <submit@bugs.debian.org>Subject: [Python-modules-team] Bug#736247: python-xdg: get_runtime_dir(strict=False): insecure use of /tmpDate: Tue, 21 Jan 2014 14:45:11 +0100
Vulmon