PYSEC-2014-95

See a problem?

Import Source

https://github.com/pypa/advisory-database/blob/main/vulns/pyxdg/PYSEC-2014-95.yaml

JSON Data

https://api.osv.dev/v1/vulns/PYSEC-2014-95

Aliases

CVE-2014-1624
GHSA-7372-q459-jxhr

Published

2014-01-28T00:55:00Z

Modified

2023-11-08T03:57:34.699452Z

Summary

[none]

Details

Race condition in the xdg.BaseDirectory.getruntimedir function in python-xdg 0.25 allows local users to overwrite arbitrary files by pre-creating /tmp/pyxdg-runtime-dir-fallback-victim to point to a victim-owned location, then replacing it with a symlink to an attacker-controlled location once the getruntimedir function is called.

References

http://www.openwall.com/lists/oss-security/2014/01/21/4
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=736247
http://www.openwall.com/lists/oss-security/2014/01/21/3
http://www.securityfocus.com/bid/65042
https://exchange.xforce.ibmcloud.com/vulnerabilities/90618

Affected packages

PyPI / pyxdg

Package

Name: pyxdg; View open source insights on deps.dev
Purl: pkg:pypi/pyxdg

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0.25

Fixed

0.26

Affected versions

0.*

0.25

Database specific

source

"https://github.com/pypa/advisory-database/blob/main/vulns/pyxdg/PYSEC-2014-95.yaml"