Return-Path: <python-modules-team-bounces+dkg=fifthhorseman.net@lists.alioth.debian.org>
X-Original-To: dkg@terrist.org
Delivered-To: mail-dkg@che.mayfirst.org
Received: from itihasa.pair.com (itihasa.pair.com [209.68.5.116])
	by che.mayfirst.org (Postfix) with SMTP id 834BFF984
	for <dkg@terrist.org>; Tue, 21 Jan 2014 08:48:21 -0500 (EST)
Received: (qmail 64165 invoked by uid 3326); 21 Jan 2014 13:48:22 -0000
Delivered-To: thought-fifthhorseman:net-daniel_gillmor@fifthhorseman.net
Received: (qmail 64160 invoked by uid 3326); 21 Jan 2014 13:48:22 -0000
Delivered-To: thought-fifthhorseman:net-dkg@fifthhorseman.net
Received: (qmail 64155 invoked from network); 21 Jan 2014 13:48:22 -0000
Received: from mailwash12.pair.com (66.39.2.12)
  by itihasa.pair.com with SMTP; 21 Jan 2014 13:48:22 -0000
Received: from localhost (localhost [127.0.0.1])
	by mailwash12.pair.com (Postfix) with SMTP id DF00AC50EC
	for <dkg@fifthhorseman.net>; Tue, 21 Jan 2014 08:48:21 -0500 (EST)
X-Virus-Check-By: mailwash12.pair.com
Received: from moszumanska.debian.org (moszumanska.debian.org [5.153.231.21])
	by mailwash12.pair.com (Postfix) with ESMTP id C485FC3815
	for <dkg@fifthhorseman.net>; Tue, 21 Jan 2014 08:48:21 -0500 (EST)
Received: from localhost ([::1] helo=moszumanska.debian.org)
	by moszumanska.debian.org with esmtp (Exim 4.80)
	(envelope-from <python-modules-team-bounces+dkg=fifthhorseman.net@lists.alioth.debian.org>)
	id 1W5bgd-0006AQ-VV
	for dkg@fifthhorseman.net; Tue, 21 Jan 2014 13:48:16 +0000
Received: from buxtehude.debian.org ([140.211.166.26])
 by moszumanska.debian.org with esmtp (Exim 4.80)
 (envelope-from <debbugs@buxtehude.debian.org>) id 1W5bgX-0006A5-TB
 for python-modules-team@lists.alioth.debian.org;
 Tue, 21 Jan 2014 13:48:13 +0000
Received: from debbugs by buxtehude.debian.org with local (Exim 4.80)
 (envelope-from <debbugs@buxtehude.debian.org>)
 id 1W5bgU-0002Zk-Qe; Tue, 21 Jan 2014 13:48:06 +0000
X-Loop: owner@bugs.debian.org
Resent-From: Jakub Wilk <jwilk@debian.org>
Original-Sender: Jakub Wilk <jwilk@master.debian.org>
Resent-To: debian-bugs-dist@lists.debian.org
Resent-CC: jwilk@debian.org, Debian Python Modules Team
 <python-modules-team@lists.alioth.debian.org>
X-Loop: owner@bugs.debian.org
Resent-Date: Tue, 21 Jan 2014 13:48:01 +0000
Resent-Message-ID: <handler.736247.B.13903119238415@bugs.debian.org>
X-Debian-PR-Message: report 736247
X-Debian-PR-Package: python-xdg
X-Debian-PR-Keywords: security
X-Debian-PR-Source: pyxdg
Received: via spool by submit@bugs.debian.org id=B.13903119238415
 (code B); Tue, 21 Jan 2014 13:48:01 +0000
Received: (at submit) by bugs.debian.org; 21 Jan 2014 13:45:23 +0000
Received: from master.debian.org ([82.195.75.110])
 from C=NA, ST=NA, L=Ankh Morpork, O=Debian SMTP, OU=Debian SMTP CA,
 CN=master.debian.org, EMAIL=hostmaster@master.debian.org (verified)
 by buxtehude.debian.org with esmtps (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128)
 (Exim 4.80) (envelope-from <jwilk@debian.org>) id 1W5bdq-0002AY-PK
 for submit@bugs.debian.org; Tue, 21 Jan 2014 13:45:22 +0000
Received: from jwilk by master.debian.org with local (Exim 4.80)
 (envelope-from <jwilk@debian.org>) id 1W5bdo-0003rA-DB
 for submit@bugs.debian.org; Tue, 21 Jan 2014 13:45:20 +0000
Date: Tue, 21 Jan 2014 14:45:11 +0100
From: Jakub Wilk <jwilk@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Message-ID: <20140121134511.GA17843@jwilk.net>
MIME-Version: 1.0
Content-Disposition: inline
X-Reportbug-Version: 6.4.4
User-Agent: Mutt/1.5.21 (2010-09-15)
Delivered-To: submit@bugs.debian.org
Resent-Sender: Debian BTS <debbugs@buxtehude.debian.org>
x-debian-approved: yes
Subject: [Python-modules-team] Bug#736247: python-xdg:
	get_runtime_dir(strict=False): insecure use of /tmp
X-BeenThere: python-modules-team@lists.alioth.debian.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: Jakub Wilk <jwilk@debian.org>, 736247@bugs.debian.org
List-Id: Debian Python Modules Team
 <python-modules-team.lists.alioth.debian.org>
List-Unsubscribe: <http://lists.alioth.debian.org/cgi-bin/mailman/options/python-modules-team>, 
 <mailto:python-modules-team-request@lists.alioth.debian.org?subject=unsubscribe>
List-Archive: <http://lists.alioth.debian.org/pipermail/python-modules-team/>
List-Post: <mailto:python-modules-team@lists.alioth.debian.org>
List-Help: <mailto:python-modules-team-request@lists.alioth.debian.org?subject=help>
List-Subscribe: <http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/python-modules-team>,
 <mailto:python-modules-team-request@lists.alioth.debian.org?subject=subscribe>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Errors-To: python-modules-team-bounces+dkg=fifthhorseman.net@lists.alioth.debian.org
Sender: "Python-modules-team"
 <python-modules-team-bounces+dkg=fifthhorseman.net@lists.alioth.debian.org>
X-SA-Exim-Connect-IP: ::1
X-SA-Exim-Mail-From: python-modules-team-bounces+dkg=fifthhorseman.net@lists.alioth.debian.org
X-SA-Exim-Scanned: No (on moszumanska.debian.org); SAEximRunCond expanded to false

Package: python-xdg
Version: 0.25-3
Severity: important
Tags: security

xdg.BaseDirectory.get_runtime_dir(strict=False) is prone to symlink 
attacks. A malicious local user could do the following:

1) Create symlink /tmp/pyxdg-runtime-dir-fallback-victim, pointing to a 
directory owned by the victim, say /home/victim.

2) Wait until the victim calls get_runtime_dir(strict=False), which 
succeeds and returns "/tmp/pyxdg-runtime-dir-fallback-victim".

3) Switch the symlink to point to a directory of their choice.

-- 
Jakub Wilk

_______________________________________________
Python-modules-team mailing list
Python-modules-team@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/python-modules-team