CVE-2014-1624

python-xdg 0.25 - Local Privilege Escalation

Title source: llm

Description

Race condition in the xdg.BaseDirectory.get_runtime_dir function in python-xdg 0.25 allows local users to overwrite arbitrary files by pre-creating /tmp/pyxdg-runtime-dir-fallback-victim to point to a victim-owned location, then replacing it with a symlink to an attacker-controlled location once the get_runtime_dir function is called.

References (5)

[Issue Tracking] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=736247

[Third Party Advisory, VDB Entry] https://exchange.xforce.ibmcloud.com/vulnerabilities/90618

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/65042

[Mailing List] http://www.openwall.com/lists/oss-security/2014/01/21/3

[Mailing List] http://www.openwall.com/lists/oss-security/2014/01/21/4

Scores

EPSS 0.0005

EPSS Percentile 14.0%

Classification

CWE

CWE-59

Status draft

Affected Products (2)

python/pyxdg

pypi/pyxdg < 0.26PyPI

Timeline

Published Jan 28, 2014

Tracked Since Feb 18, 2026