ALT-PU-2020-4295-1

Package update python-module-pyxdg in branch sisyphus

Version0.26-alt1

Published2020-07-23

Max severityHIGH

Severity:

Closed issues (5)

HIGH7.5

Уязвимость библиотеки языка программирования Python pyxdg, связанная с неверным управлением генерацией кода, позволяющая нарушителю получить доступ к конфиденциальным данным, нарушить их целостность, а также вызвать отказ в обслуживании

Published: 2021-11-02Modified: 2025-10-29

CVSS 3.xHIGH 7.5

CVSS:3.x/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS 2.0MEDIUM 5.1

CVSS:2.0/AV:N/AC:H/Au:N/C:P/I:P/A:P

References

CVE-2019-12761

LOW3.3

Race condition in the xdg.BaseDirectory.get_runtime_dir function in python-xdg 0.25 allows local users to overwrite arbitrary files by pre-creating /tmp/pyxdg-runtime-dir-fallback-victim to point to a victim-owned location, then replacing it with a symlink to an attacker-controlled location once the get_runtime_dir function is called.

Published: 2014-01-28Modified: 2026-04-29

CVSS 2.0LOW 3.3

CVSS:2.0/AV:L/AC:M/Au:N/C:N/I:P/A:P

References

HIGH7.5

A code injection issue was discovered in PyXDG before 0.26 via crafted Python code in a Category element of a Menu XML document in a .menu file. XDG_CONFIG_DIRS must be set up to trigger xdg.Menu.parse parsing within the directory containing this file. This is due to a lack of sanitization in xdg/Menu.py before an eval call.

Published: 2019-06-06Modified: 2024-11-21

CVSS 2.0MEDIUM 5.1

CVSS:2.0/AV:N/AC:H/Au:N/C:P/I:P/A:P

CVSS 3.xHIGH 7.5

CVSS:3.x/CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

References

GHSA-7372-q459-jxhr

NONE

pyxdg Arbitrary File Overwrite via Race Condition

Published: 2022-05-17Modified: 2024-10-16

References

GHSA-r6v3-hpxj-r8rv

HIGH7.5

Code Injection in PyXDG

Published: 2019-06-07Modified: 2024-10-15

CVSS 3.xHIGH 7.5

CVSS:3.x/CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

References