Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2014-3539 python-rope: pickle.load of remotely supplied data with no authentication #105

Closed
nixon opened this issue Feb 7, 2015 · 5 comments
Closed

CVE-2014-3539 python-rope: pickle.load of remotely supplied data with no authentication #105

nixon opened this issue Feb 7, 2015 · 5 comments
Labels
bug Unexpected or incorrect user-visible behavior

Comments

@nixon
Copy link

nixon commented Feb 7, 2015

https://bugzilla.redhat.com/show_bug.cgi?id=1116485
@mcepl
Copy link
Contributor

mcepl commented Feb 10, 2015

I am aware of it, and I was working on it https://gitorious.org/rope/rope/source/CVE-2014-3539 but I have never been able to pull off a good automatized reproducer for test. Any merge requests for that branch would be very very welcome.

@mcepl mcepl mentioned this issue Feb 11, 2015
Closed
@soupytwist soupytwist added the bug Unexpected or incorrect user-visible behavior label Sep 30, 2016
@ulidtko ulidtko mentioned this issue Jul 26, 2018
Closed
@ghost
Copy link

ghost commented Aug 3, 2018

Hi, I'm a fan of rope, but am concerned about using it due to this issue. I'm wondering if you might be willing to share your current thinking? Thanks.

In case it's helpful, Debian seems to have a limited patch.
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=777525
https://sources.debian.org/src/rope/0.10.3-1/debian/patches/CVE-2014-3539.patch/

@soupytwist
Copy link
Contributor

Hi, I know this has been sitting for far too long. I am working on the fix for this issue.

@soupytwist soupytwist mentioned this issue Aug 6, 2018
Merged
@soupytwist
Copy link
Contributor

I have a proposed fix in #251. I'm not sure who will review it who is very familiar with this codebase (or if there is such a person anymore). This does need to be resolved, so I will get at least another competent pair of eyes on it. Please anyone take a look as well if you are interested.

@mcepl
Copy link
Contributor

mcepl commented Aug 7, 2018

who is very familiar with this codebase (or if there is such a person anymore

Given the authorship of last commits to rope I would say that the most competent person to know this codebase is best found by you in the nearest mirror ;).

soupytwist added a commit that referenced this issue Aug 8, 2018
@soupytwist
Perform signature verification on pickled data transferred over socke…
b01da7a 
…ts (#251)

Perform signature verification on pickled data transferred over sockets

Before unpickling anything, ensure that it has a valid digital
signature using a randomly-generated shared key. In order for an attacker
to send or tamper with data on the same socket, they must know this key
to compute a valid signature. Fixes #105, CVE-2015-3539.
@soupytwist soupytwist mentioned this issue Aug 15, 2018
Closed
@jtrakk jtrakk mentioned this issue Jun 13, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Unexpected or incorrect user-visible behavior
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Simple hackish solution to CVE-2014-3539.
3 participants
@nixon @mcepl @soupytwist