It was reported [1],[2] that the Python XDG module (pyxdg) suffered from a TOCTOU race condition when the xdg.BaseDirectory.get_runtime_dir() function is called with the strict setting set to False (the default is True). When the strict setting is set to True, the directory pointed to by the $XDG_RUNTIME_DIR is used (and returned). However, if $XDG_RUNTIME_DIR is unset, it will attempt to use the /tmp/pyxdg-runtime-dir-fallback-[username] directory. A local attacker could use this to conduct symbolic link attacks, possibly leading to their ability to modify permissions or security context of a path different than that originally intended or requested. This flaw only affects pyxdg 0.25 as the ability to use the $XDG_RUNTIME_DIR (and thus the introduction of this function) was first introduced there based on this Debian request [3]. No patch is yet available and discussion on the fix is taking place in the upstream bug tracker [4]. UPDATE: A Patch is available via [5] [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=736247 [2] http://www.openwall.com/lists/oss-security/2014/01/21/3 [3] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=656338 [4] https://bugs.freedesktop.org/show_bug.cgi?id=73878 [5] https://github.com/takluyver/pyxdg/commit/bd999c1c3fe7ee5f30ede2cf704cf03e400347b4
Created pyxdg tracking bugs for this issue: Affects: fedora-all [bug 1056339]
pyxdg-0.25-5.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.
pyxdg-0.25-5.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
pyxdg-0.25-5.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
pyxdg-0.25-5.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
This should be fixed in all current releases.