[Python-modules-team] Bug#735263: marked as done (python-rply: insecure use of /tmp)

Fri, 17 Jan 2014 17:06:40 -0800 

Your message dated Sat, 18 Jan 2014 01:03:32 +0000
with message-id <[email protected]>
and subject line Bug#735263: fixed in python-rply 0.7.1-1
has caused the Debian Bug report #735263,
regarding python-rply: insecure use of /tmp
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
735263: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=735263
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Source: python-rply
Version: 0.7.0-1
Severity: grave
Tags: security
Justification: user security hole
rply stores its cache files in /tmp. This is insecure, because /tmp is world-writable, and the filenames rply uses are of course predicatable.
Proof of concept is attached. If you put the rply-*.json file in /tmp and make it world-readable, then the tiny calculator's math will start to be slightly off (even when run by a different user than the owner of the cache file): 

$ ls -l /tmp/rply-*.json
-rw-r--r-- 1 eve users 730 Jan 13 22:20 
/tmp/rply-1-tinycalc-72306a09ee3b3fe5697e2d0114eb3ee132a6ff7a.json

$ whoami
jwilk

$ echo 69 - 37 - 10 | python3 tinycalc.py
69 - 37 - 10 = 42

--
Jakub Wilk

Attachment: rply-1-tinycalc-72306a09ee3b3fe5697e2d0114eb3ee132a6ff7a.json
Description: application/json

#!/usr/bin/python3

import sys

import rply

lg = rply.LexerGenerator()
lg.add('PLUS', r'\+')
lg.add('MINUS', r'-')
lg.add('NUMBER', r'\d+')

lg.ignore(r'\s+')

pg = rply.ParserGenerator(
    ['NUMBER', 'PLUS', 'MINUS'],
    precedence=[('left', ['PLUS', 'MINUS'])],
    cache_id='tinycalc'
)

@pg.production('main : exp')
def main(p):
    [exp] = p
    return exp

@pg.production('exp : exp PLUS exp')
@pg.production('exp : exp MINUS exp')
def exp_op(p):
    [lhs, op, rhs] = p
    rhs = p[2]
    if op.getstr() == '+':
        return lhs + rhs
    else:
        return lhs - rhs

@pg.production('exp : NUMBER')
def exp_num(p):
    [tok] = p
    return int(tok.getstr())

lexer = lg.build()
parser = pg.build()

for line in sys.stdin:
    line = line.strip()
    n = parser.parse(lexer.lex(line))
    print(line, '=', n)

# vim:ts=4 sw=4 et

--- End Message ---
--- Begin Message --- 
Source: python-rply
Source-Version: 0.7.1-1

We believe that the bug you reported is fixed in the latest version of
python-rply, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Tristan Seligmann <[email protected]> (supplier of updated python-rply 
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 18 Jan 2014 02:45:02 +0200
Source: python-rply
Binary: python-rply python3-rply pypy-rply
Architecture: source all
Version: 0.7.1-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Python Modules Team 
<[email protected]>
Changed-By: Tristan Seligmann <[email protected]>
Description: 
 pypy-rply  - pure Python based parser that also works with RPython (PyPy)
 python-rply - pure Python based parser that also works with RPython (Python 2)
 python3-rply - pure Python based parser that also works with RPython (Python 3)
Closes: 735263
Changes: 
 python-rply (0.7.1-1) unstable; urgency=medium
 .
   * New upstream release.
     - Fixes insecure /tmp handling (Closes: #735263).
   * Add myself to Uploaders.
   * Add PGP signature checking to watch file.
   * Patch setup.py to use distutils instead of setuptools (since setuptools is
     not packaged for pypy in Debian yet).
   * Install upstream README.
Checksums-Sha1: 
 af2cff348474b7d2c2936235df563151808f2421 2196 python-rply_0.7.1-1.dsc
 2fc081f44018132ec7ab562110ce9a1e942d6574 14492 python-rply_0.7.1.orig.tar.gz
 f4f3e94c812c829c01c70574daf90b6f8ddc95a5 21341 
python-rply_0.7.1-1.debian.tar.gz
 52030ed59d6fd746fd6e8ccf6e9bc82d42d5e7a0 16428 python-rply_0.7.1-1_all.deb
 4b35d8d88ac2524ca26f1485e704a7dedf6246f3 15994 python3-rply_0.7.1-1_all.deb
 36b6a2854d743f3e463aa25677b5ccf0074b60b5 15998 pypy-rply_0.7.1-1_all.deb
Checksums-Sha256: 
 60ba75275cd5f326dfe5486d658b72aa9a344205e1bfefe831eecda5a6b0f35f 2196 
python-rply_0.7.1-1.dsc
 d254901aa80a1de01d1fe25e7e7e97e8c70a756903803d24bd27a6a4e6094604 14492 
python-rply_0.7.1.orig.tar.gz
 7d28fbd8290d878c1e55d1967d7f4e69381ff3802bb8651769fa0813cbdf22a4 21341 
python-rply_0.7.1-1.debian.tar.gz
 3c41ba7493e9fd9ac8ebe684f5725dc7cefbb1c81406990087924af343aaff66 16428 
python-rply_0.7.1-1_all.deb
 ad4198707eb81dbcfa2e5d0cd836a0a359b97f0ce7aa0ba32690f7c9f380405d 15994 
python3-rply_0.7.1-1_all.deb
 1e34d76b12fb4f08b4700d999180f8c4a12753f7e881ecbd0dc5f9e5319297fc 15998 
pypy-rply_0.7.1-1_all.deb
Files: 
 bb808553e74ba081b275ecea52befa35 2196 python optional python-rply_0.7.1-1.dsc
 5e2970627da13d63d904be9a50187485 14492 python optional 
python-rply_0.7.1.orig.tar.gz
 724bffb2c3a7913fe462c22e875e817e 21341 python optional 
python-rply_0.7.1-1.debian.tar.gz
 0548c81712f5ac232f4ae0198a04603d 16428 python optional 
python-rply_0.7.1-1_all.deb
 ba3dd2dd41b44359b95de86471330e7c 15994 python optional 
python3-rply_0.7.1-1_all.deb
 844f6a45e79bb500f539e28955e1f3d5 15998 python optional 
pypy-rply_0.7.1-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

iQIcBAEBCgAGBQJS2dC1AAoJEFjA+xzeO3YAxd8P/1et0kwQta3EblYSkr1gbILp
sMjcdlep7Lyzd5g3YwfVvV1zXF3OrhM1OhZiyk2f2EuYkXp7OTorHjKShPRWEsQK
3yiJ5dQ9m4aYdhqdRnTy5RYA/3HBp5bkZdaK5Ru7wJxlfcx3VtUCBM18XxVRHhym
N92I6i530oYOaymQrsE1pu78anwi4mfwm7l5nCHV0Uz+L0cDsCjAQMVgZNVpESCO
9OC7GbUTm9mvpc6VvyvFdlFRuukHg4LAoe8R/BECnvlAzcpKqHcDl/9Qn1ILnj4x
7KmKF2t/DqHZG2b6H/JLTc7stdOhEedQ5rbf2qM8AWI5WyUW8q9rPi+Dtu5iOXFM
AnD0/HvW5+9Isf9wwQj66f0Dp/FxuOoMzbkG9PwxmCs8ukCJ9q75Ge7+5OzAFR+X
ELFNT+vVzOX/678FwW5kd6OKoLQY4ne3ADdu8spl6tX075mg3QuvmEnPZBs6BW6L
+ccYNIxy4H9EVybJWj3cTV4FiGODy+EvilZtwM1/KIdxFQRE2naWMqKQY8UWW2h/
Y9OfonRt3OqqBSV2w+vMFi0JRzF7c5mSGBcmjb66u/P87JgIswlgmr2wlp3mbfJV
wMxLCfYiL3TYPyvadYQaK8WS1UP6s/qnrZSc5l2xNNTI3mndXoe7HtKHaecZ2RN/
td1yEs1BzgkpDvtBkoys
=3lG9
-----END PGP SIGNATURE-----

--- End Message ---
_______________________________________________
Python-modules-team mailing list
[email protected]
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/python-modules-team

Reply via email to