Source: python-rply
Version: 0.7.0-1
Severity: grave
Tags: security
Justification: user security hole
rply stores its cache files in /tmp. This is insecure, because /tmp is
world-writable, and the filenames rply uses are of course predicatable.
Proof of concept is attached. If you put the rply-*.json file in /tmp
and make it world-readable, then the tiny calculator's math will start
to be slightly off (even when run by a different user than the owner of
the cache file):
$ ls -l /tmp/rply-*.json
-rw-r--r-- 1 eve users 730 Jan 13 22:20 /tmp/rply-1-tinycalc-72306a09ee3b3fe5697e2d0114eb3ee132a6ff7a.json
$ whoami
jwilk
$ echo 69 - 37 - 10 | python3 tinycalc.py
69 - 37 - 10 = 42
--
Jakub Wilk
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>: Bug#735263; Package src:python-rply.
(Fri, 17 Jan 2014 23:21:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Alex Gaynor <alex.gaynor@gmail.com>:
Extra info received and forwarded to list. Copy sent to Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>.
(Fri, 17 Jan 2014 23:21:08 GMT) (full text, mbox, link).
A patch for this issue has been landed:
https://github.com/alex/rply/commit/fc9bbcd25b0b4f09bbd6339f710ad24c129d5d7cand
I am issuing an 0.7.1 release with this patch as we speak.
Alex
--
"I disapprove of what you say, but I will defend to the death your right to
say it." -- Evelyn Beatrice Hall (summarizing Voltaire)
"The people's good is the highest law." -- Cicero
GPG Key fingerprint: 125F 5C67 DFE9 4084
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>: Bug#735263; Package src:python-rply.
(Fri, 17 Jan 2014 23:24:11 GMT) (full text, mbox, link).
Acknowledgement sent
to Alex Gaynor <alex.gaynor@gmail.com>:
Extra info received and forwarded to list. Copy sent to Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>.
(Fri, 17 Jan 2014 23:24:11 GMT) (full text, mbox, link).
At this point a release has been issued and is available from PyPI as 0.7.1
Alex
--
"I disapprove of what you say, but I will defend to the death your right to
say it." -- Evelyn Beatrice Hall (summarizing Voltaire)
"The people's good is the highest law." -- Cicero
GPG Key fingerprint: 125F 5C67 DFE9 4084
Added tag(s) pending.
Request was from mithrandi@users.alioth.debian.org
to control@bugs.debian.org.
(Sat, 18 Jan 2014 00:09:11 GMT) (full text, mbox, link).
Reply sent
to Tristan Seligmann <mithrandi@debian.org>:
You have taken responsibility.
(Sat, 18 Jan 2014 01:06:05 GMT) (full text, mbox, link).
Notification sent
to Jakub Wilk <jwilk@debian.org>:
Bug acknowledged by developer.
(Sat, 18 Jan 2014 01:06:05 GMT) (full text, mbox, link).
Source: python-rply
Source-Version: 0.7.1-1
We believe that the bug you reported is fixed in the latest version of
python-rply, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 735263@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Tristan Seligmann <mithrandi@debian.org> (supplier of updated python-rply package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 18 Jan 2014 02:45:02 +0200
Source: python-rply
Binary: python-rply python3-rply pypy-rply
Architecture: source all
Version: 0.7.1-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>
Changed-By: Tristan Seligmann <mithrandi@debian.org>
Description:
pypy-rply - pure Python based parser that also works with RPython (PyPy)
python-rply - pure Python based parser that also works with RPython (Python 2)
python3-rply - pure Python based parser that also works with RPython (Python 3)
Closes: 735263
Changes:
python-rply (0.7.1-1) unstable; urgency=medium
.
* New upstream release.
- Fixes insecure /tmp handling (Closes: #735263).
* Add myself to Uploaders.
* Add PGP signature checking to watch file.
* Patch setup.py to use distutils instead of setuptools (since setuptools is
not packaged for pypy in Debian yet).
* Install upstream README.
Checksums-Sha1:
af2cff348474b7d2c2936235df563151808f2421 2196 python-rply_0.7.1-1.dsc
2fc081f44018132ec7ab562110ce9a1e942d6574 14492 python-rply_0.7.1.orig.tar.gz
f4f3e94c812c829c01c70574daf90b6f8ddc95a5 21341 python-rply_0.7.1-1.debian.tar.gz
52030ed59d6fd746fd6e8ccf6e9bc82d42d5e7a0 16428 python-rply_0.7.1-1_all.deb
4b35d8d88ac2524ca26f1485e704a7dedf6246f3 15994 python3-rply_0.7.1-1_all.deb
36b6a2854d743f3e463aa25677b5ccf0074b60b5 15998 pypy-rply_0.7.1-1_all.deb
Checksums-Sha256:
60ba75275cd5f326dfe5486d658b72aa9a344205e1bfefe831eecda5a6b0f35f 2196 python-rply_0.7.1-1.dsc
d254901aa80a1de01d1fe25e7e7e97e8c70a756903803d24bd27a6a4e6094604 14492 python-rply_0.7.1.orig.tar.gz
7d28fbd8290d878c1e55d1967d7f4e69381ff3802bb8651769fa0813cbdf22a4 21341 python-rply_0.7.1-1.debian.tar.gz
3c41ba7493e9fd9ac8ebe684f5725dc7cefbb1c81406990087924af343aaff66 16428 python-rply_0.7.1-1_all.deb
ad4198707eb81dbcfa2e5d0cd836a0a359b97f0ce7aa0ba32690f7c9f380405d 15994 python3-rply_0.7.1-1_all.deb
1e34d76b12fb4f08b4700d999180f8c4a12753f7e881ecbd0dc5f9e5319297fc 15998 pypy-rply_0.7.1-1_all.deb
Files:
bb808553e74ba081b275ecea52befa35 2196 python optional python-rply_0.7.1-1.dsc
5e2970627da13d63d904be9a50187485 14492 python optional python-rply_0.7.1.orig.tar.gz
724bffb2c3a7913fe462c22e875e817e 21341 python optional python-rply_0.7.1-1.debian.tar.gz
0548c81712f5ac232f4ae0198a04603d 16428 python optional python-rply_0.7.1-1_all.deb
ba3dd2dd41b44359b95de86471330e7c 15994 python optional python3-rply_0.7.1-1_all.deb
844f6a45e79bb500f539e28955e1f3d5 15998 python optional pypy-rply_0.7.1-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
iQIcBAEBCgAGBQJS2dC1AAoJEFjA+xzeO3YAxd8P/1et0kwQta3EblYSkr1gbILp
sMjcdlep7Lyzd5g3YwfVvV1zXF3OrhM1OhZiyk2f2EuYkXp7OTorHjKShPRWEsQK
3yiJ5dQ9m4aYdhqdRnTy5RYA/3HBp5bkZdaK5Ru7wJxlfcx3VtUCBM18XxVRHhym
N92I6i530oYOaymQrsE1pu78anwi4mfwm7l5nCHV0Uz+L0cDsCjAQMVgZNVpESCO
9OC7GbUTm9mvpc6VvyvFdlFRuukHg4LAoe8R/BECnvlAzcpKqHcDl/9Qn1ILnj4x
7KmKF2t/DqHZG2b6H/JLTc7stdOhEedQ5rbf2qM8AWI5WyUW8q9rPi+Dtu5iOXFM
AnD0/HvW5+9Isf9wwQj66f0Dp/FxuOoMzbkG9PwxmCs8ukCJ9q75Ge7+5OzAFR+X
ELFNT+vVzOX/678FwW5kd6OKoLQY4ne3ADdu8spl6tX075mg3QuvmEnPZBs6BW6L
+ccYNIxy4H9EVybJWj3cTV4FiGODy+EvilZtwM1/KIdxFQRE2naWMqKQY8UWW2h/
Y9OfonRt3OqqBSV2w+vMFi0JRzF7c5mSGBcmjb66u/P87JgIswlgmr2wlp3mbfJV
wMxLCfYiL3TYPyvadYQaK8WS1UP6s/qnrZSc5l2xNNTI3mndXoe7HtKHaecZ2RN/
td1yEs1BzgkpDvtBkoys
=3lG9
-----END PGP SIGNATURE-----
Changed Bug title to 'python-rply: CVE-2014-1604: insecure use of /tmp' from 'python-rply: insecure use of /tmp'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sat, 18 Jan 2014 06:45:09 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Thu, 20 Feb 2014 07:33:04 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.