search

kupferlauncher / kupfer

kupfer, smart, quick launcher. `master' is kupfer's release branch.
http://kupferlauncher.github.io
GNU General Public License v3.0
368 stars 64 forks source link

Add SECURITY.md / Insecure ConservativeUnpickler #163

Closed JamieSlome closed 2 years ago

JamieSlome commented 2 years ago

Hey there!

I belong to an open source security research community, and a member (@splitline) has found an issue, but doesn’t know the best way to disclose it.

If not a hassle, might you kindly add a SECURITY.md file with an email, or another contact method? GitHub recommends this best practice to ensure security issues are responsibly disclosed, and it would serve as a simple instruction for security researchers in the future.

Thank you for your consideration, and I look forward to hearing from you!

(cc @huntr-helper)

JamieSlome commented 2 years ago

@KarolBedkowski - is this repository still being maintained?

If so, you can find the report directly here. It is private and only accessible to maintainers with repository write permissions 👍

KarolBedkowski commented 2 years ago

Hi, Yes, this repository is maintained. Bugs that affects me or other team member are still fixed; non important bugs require pr.

Best way to report issues is is still report it directly in gh.

As a owner I can't report under this link.

Regards, K.

KarolBedkowski commented 2 years ago

Seems to bug is reported by scan for use picke module, but without analyze how and when this module is used in Kupfer.

Report is that unpicling by ConservativeUnpickler class is not secure and allow execute arbitrary python code from pickled data.

pickle is used for something like local cache and there is no way to put in something maleficent by Kupfer itself (ConservativeUnpickler prevent this).

Only way to use this flaw is put something by attacker into files in local cache and wait to Kupfer start.

But If someone can write to local user cache dir they probably can write to .bashrc, create new local plugin or modify other files. So it can execute maleficent in simplest way.

Proposed resolution (checking also names) is this case also will not work as long we have dynamic / user created plugins and there is no way to specify closed list of class names.

Of course this implementation in other application may be security problem, but not in this case.

Thanks for your afford and reporting this issue, but I don't think is problem needed to resolve.

JamieSlome commented 2 years ago

@KarolBedkowski - would you be able to mark the report accordingly to your feedback?

https://www.huntr.dev/bounties/93e9984c-0641-4018-a49c-53014f54a8c1/

KarolBedkowski commented 2 years ago

Hi, I see you already close this report. I don't know huntr.dev - should I do something else?

JamieSlome commented 2 years ago

@KarolBedkowski - no further action is required.