Re: Good news and bad news on Python sockets and pickle

[gremlin () gremlin ru]

On 18-Jul-2014 22:40:38 -0600, Kurt Seifried wrote:

> I looked for cases where pickle.loads is used on untrusted data,
> the good news is didn't find many, the main two uses cases were
> taking data from zeroMQ and memcached and then unpickling it,
> looks like those would be compromised in any event if malicious
> data got in there, let alone RCE type stuff.
> [...]
> So here is my question, is all pickle.loads from things like
> memcached (which has no auth) generally CVE worthy? If so I can
> post a list of the potentials, I'll be honest, I'm to lazy to
> go digging through it (I'm not sure how many uses shared/public
> memcached configs/etc.).

All these issues aren't related to pickle.loads - they are just the
ordinary use of untrusted data (which itself may worth a CVE).


-- 
Alexey V. Vissarionov aka Gremlin from Kremlin <gremlin ПРИ gremlin ТЧК ru>
GPG: 8832FE9FA791F7968AC96E4E909DAC45EF3B1FA8 @ hkp://keys.gnupg.net