mailing list archives
Good news and bad news on Python sockets and pickle
From: Kurt Seifried <kseifried () redhat com>
Date: Fri, 18 Jul 2014 22:40:38 -0600
-----BEGIN PGP SIGNED MESSAGE-----
So first the good news, I looked at the top projects on pypi
(arbitrarily defined as more than 1000 downloads in the last month for
at least one version), so for the most recent version of these that
meant about 8,072 packages.
I looked for cases where pickle.loads is used on untrusted data, the
good news is didn't find many, the main two uses cases were taking
data from zeroMQ and memcached and then unpickling it, looks like
those would be compromised in any event if malicious data got in
there, let alone RCE type stuff.
However having said that we do have this one in the past:
CVE-2012-4406 OpenStack Object Storage (swift) before 1.7.0 uses the
loads function in the pickle Python module unsafely when storing and
loading metadata in memcached, which allows remote attackers to
execute arbitrary code via a crafted pickle object.
So here is my question, is all pickle.loads from things like memcached
(which has no auth) generally CVE worthy? If so I can post a list of
the potentials, I'll be honest, I'm to lazy to go digging through it
(I'm not sure how many uses shared/public memcached configs/etc.).
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
-----END PGP SIGNATURE-----
- Good news and bad news on Python sockets and pickle Kurt Seifried (Jul 19)