oss-sec mailing list archives
Re: Good news and bad news on Python sockets and pickle
From: gremlin () gremlin ru
Date: Sat, 19 Jul 2014 10:00:47 +0400
On 18-Jul-2014 22:40:38 -0600, Kurt Seifried wrote:
I looked for cases where pickle.loads is used on untrusted data, the good news is didn't find many, the main two uses cases were taking data from zeroMQ and memcached and then unpickling it, looks like those would be compromised in any event if malicious data got in there, let alone RCE type stuff. [...] So here is my question, is all pickle.loads from things like memcached (which has no auth) generally CVE worthy? If so I can post a list of the potentials, I'll be honest, I'm to lazy to go digging through it (I'm not sure how many uses shared/public memcached configs/etc.).
All these issues aren't related to pickle.loads - they are just the ordinary use of untrusted data (which itself may worth a CVE). -- Alexey V. Vissarionov aka Gremlin from Kremlin <gremlin ПРИ gremlin ТЧК ru> GPG: 8832FE9FA791F7968AC96E4E909DAC45EF3B1FA8 @ hkp://keys.gnupg.net
Current thread:
- Good news and bad news on Python sockets and pickle Kurt Seifried (Jul 18)
- Re: Good news and bad news on Python sockets and pickle gremlin (Jul 18)
- Re: Good news and bad news on Python sockets and pickle Kurt Seifried (Jul 19)
- Re: Good news and bad news on Python sockets and pickle cve-assign (Jul 19)
- Re: Good news and bad news on Python sockets and pickle gremlin (Jul 18)