CVE-2014-1624 — pyxdg Arbitrary File Overwrite via Race Condition

Description

Race condition in the xdg.BaseDirectory.get_runtime_dir function in python-xdg 0.25 allows local users to overwrite arbitrary files by pre-creating /tmp/pyxdg-runtime-dir-fallback-victim to point to a victim-owned location, then replacing it with a symlink to an attacker-controlled location once the get_runtime_dir function is called.

How to fix CVE-2014-1624

To remediate CVE-2014-1624, upgrade the affected package to a fixed version below.

Debian/pyxdg—upgrade to 0.25-4 or later
PyPI/pyxdg—upgrade to 0.26 or later
—upgrade to 0.26 or later

Is CVE-2014-1624 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (3)

from 0, < 0.25-4
from 0, < 0.26
>= 0.25, < 0.26

References (12)

ADVISORYgithub.com/advisories/GHSA-7372-q459-jxhr
ADVISORYnvd.nist.gov/vuln/detail/CVE-2014-1624
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2014-1624
PATCHgithub.com/takluyver/pyxdg
WEB