[Python-modules-team] Bug#737627: marked as done (python-rply: CVE-2014-1938: still uses /tmp insecurely)

Thu, 03 Sep 2015 22:51:49 -0700 

Your message dated Fri, 04 Sep 2015 05:49:30 +0000
with message-id <e1zxjsq-0000mq...@franck.debian.org>
and subject line Bug#737627: fixed in python-rply 0.7.4-1
has caused the Debian Bug report #737627,
regarding python-rply: CVE-2014-1938: still uses /tmp insecurely
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
737627: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737627
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Source: python-rply
Version: 0.7.1-1
Severity: important
Tags: security
[I notified upstream about this problem on 2014-01-27 in a private e-mail, but there was no reply so far; so I'm disclosing it now.]
rply still uses /tmp insecurely. Malicious local user can cause denial of service via symlink or hardlink attacks. 

Here's an example, using the same test code as in #735263:

$ id | cut -d' ' -f1
uid=1000(jwilk)

$ ls -l /tmp/rply*.json
lrwxr-xr-x 1 mallory root 12 Jan 27 22:08 
/tmp/rply-1-1000-tinycalc-72306a09ee3b3fe5697e2d0114eb3ee132a6ff7a.json -> 
/dev/urandom

$ echo '6 * 7' | python3 tinycalc.py
[eats 100% CPU and gigabytes of RAM]

--
Jakub Wilk

--- End Message ---
--- Begin Message --- 
Source: python-rply
Source-Version: 0.7.4-1

We believe that the bug you reported is fixed in the latest version of
python-rply, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 737...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Tristan Seligmann <mithra...@debian.org> (supplier of updated python-rply 
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 04 Sep 2015 07:16:00 +0200
Source: python-rply
Binary: python-rply python3-rply pypy-rply
Architecture: source all
Version: 0.7.4-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Python Modules Team 
<python-modules-team@lists.alioth.debian.org>
Changed-By: Tristan Seligmann <mithra...@debian.org>
Description:
 pypy-rply  - pure Python based parser that also works with RPython (PyPy)
 python-rply - pure Python based parser that also works with RPython (Python 2)
 python3-rply - pure Python based parser that also works with RPython (Python 3)
Closes: 737627
Changes:
 python-rply (0.7.4-1) unstable; urgency=medium
 .
   * New upstream release.
     - Stop using /tmp entirely; this fixes the remaining insecure handling
       issue (Closes: #737627).
Checksums-Sha1:
 f234840fb50a3adf693ec0f3685c2a378d47c43d 2071 python-rply_0.7.4-1.dsc
 a241add941a42ea356016e0aade6ab39a4dad7bd 16339 python-rply_0.7.4.orig.tar.gz
 76813f1b2e9a267de206dee258e9506aeb90c9e4 21960 
python-rply_0.7.4-1.debian.tar.xz
 0bbd8e68365b641fb75a4976f6bc51ab40f9074d 18268 pypy-rply_0.7.4-1_all.deb
 9fe9cb0a742ab456bc61dafe53011987819fae53 18564 python-rply_0.7.4-1_all.deb
 43e2bb05276cae0a0c9c7a2a5956dd18db9bbd7d 18254 python3-rply_0.7.4-1_all.deb
Checksums-Sha256:
 c5bb057879f84372883736a2fd925c16fa73daf81c562129337abc64cc9a0135 2071 
python-rply_0.7.4-1.dsc
 723303d6c5f05a7ee19f59531f66c8c7d41cfaef2676057369db1eb5520b378b 16339 
python-rply_0.7.4.orig.tar.gz
 3e48c585ac6669ad5fff052efba770a53c6f05876cb63f6a3a55134ec410091b 21960 
python-rply_0.7.4-1.debian.tar.xz
 b7b22a0571f03fb5e0ca2ee4db22c8883263e1a497392c34c2451bee3e3fc64e 18268 
pypy-rply_0.7.4-1_all.deb
 a8d2c2f6473a290f5384500c26243e195a4092c354c32e35d821fcdb7bd747f9 18564 
python-rply_0.7.4-1_all.deb
 6cd9cd33fdccb3dac36b71aa72c368e4c743b511461879eec79d2c6d9f7f2219 18254 
python3-rply_0.7.4-1_all.deb
Files:
 ef76e004dbc6354cbd0ef523a11532d7 2071 python optional python-rply_0.7.4-1.dsc
 9647256c1ca4c107e0190feca2dca935 16339 python optional 
python-rply_0.7.4.orig.tar.gz
 1731f3d69afc97a6d0ea133ffb758ece 21960 python optional 
python-rply_0.7.4-1.debian.tar.xz
 573b660f95d2c62e0a1ed692a55a24bb 18268 python optional 
pypy-rply_0.7.4-1_all.deb
 b6ff7b817b6f06fa4c81aca7291f87e1 18564 python optional 
python-rply_0.7.4-1_all.deb
 ee3a9a1b65a5dcf16228495cea4838ff 18254 python optional 
python3-rply_0.7.4-1_all.deb

-----BEGIN PGP SIGNATURE-----

iQF8BAEBCgBmBQJV6S24XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ1QzA2NTY4NTc1NTE2RDBBMzNGRkE3QTND
MDg5OTBGQjFGNjM3ODkzAAoJEMCJkPsfY3iTotEIALFPmkpIMKwqHKd8qN01Sc5D
QobnhJsX/ZTlLpWc2VuqxzZ7Jhg4sREMgZ6vjX8u63uB22oTdSCrz0OAWa7tY1vG
yW2zpX4Iq4lDY8A5ki8qhoRB+TbHXcjWpSDLzHcIbCLPfSzW/cG9vXKDZIc6z+UK
z8g2OVVoHtar4zjeJIJpFXQ1OQlJT1gKYfIcWrF1JbsMrC8xRC8LuBlzS+UtIzPH
MjRbNl1UXIkfVxYF2U2iLC9V34mdSethNkulVj/1l38iSQ/Nsvlu0PmBZ/dYXANG
43zsypFibe+lwJ9SUr/YoHiWC2OvnihI7Z5iOFbKb7/G5K9dDAUGcH4KzhHNVGs=
=snS3
-----END PGP SIGNATURE-----

--- End Message ---
_______________________________________________
Python-modules-team mailing list
Python-modules-team@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/python-modules-team

Reply via email to