oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Fwd: [Python-modules-team] Bug#736247: python-xdg: get_runtime_dir(strict=False): insecure use of /tmp

From: cve-assign () mitre org
Date: Tue, 21 Jan 2014 13:08:21 -0500 (EST)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


as reported by Jakub Wilk in http://bugs.debian.org/736247, there is a
TOCTOU failure in python's xdg module

1) Create symlink /tmp/pyxdg-runtime-dir-fallback-victim, pointing to a 
directory owned by the victim


Use CVE-2014-1624.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJS3rYbAAoJEKllVAevmvmsstgH/0w3D687UMenhRZvTHdoPWwi
nk1vTE9SGraAUIe24g0VbdqI3vVUuMN1XqQnljFr2fkCWvhw2c2KCXg99TIcCmLo
wlqRIAf37dCgHXLyHjzlboNKZm+Mlrh57vis4VJIyrq8byW0jmgR9Dv+tACMeWkj
9Wkt1slsPiIMvFOjIZKjN8r8a85XbhpCQIrV4/uFMyOOarQHB9IT25YKNaldegFY
CylvlLM7mi4Ux1JU+ZIUMdwxQoSOtvq3OKYwbHNZoYMH5mGcwwgRN4/tTbuqxmOn
u8TYG3xqqVS4j2QuUG//LACrftlcJ0e/XtQTmSvJlVju/9bE2KD1U3ewrvUYHE0=
=9769
-----END PGP SIGNATURE-----
Previous By Date Next
Previous By Thread Next

Current thread: