Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:9755
HistorySep 18, 2005 - 12:00 a.m.

[Full-disclosure] [ GLSA 200509-09 ] Py2Play: Remote execution of arbitrary Python code

2005-09-1800:00:00
vulners.com
5
JSON

Gentoo Linux Security Advisory GLSA 200509-09

                                        http://security.gentoo.org/

Severity: High
Title: Py2Play: Remote execution of arbitrary Python code
Date: September 17, 2005
Bugs: #103524
ID: 200509-09

Synopsis

A design error in Py2Play allows attackers to execute arbitrary code.

Background

Py2Play is a peer-to-peer network game engine written in Python.
Pickling is a Python feature allowing to serialize Python objects into
string representations (called pickles) that can be sent over the
network.

Affected packages

-------------------------------------------------------------------
 Package             /  Vulnerable  /                   Unaffected
-------------------------------------------------------------------

1 dev-python/py2play <= 0.1.7 Vulnerable!
-------------------------------------------------------------------
NOTE: Certain packages are still vulnerable. Users should migrate
to another package if one is available or wait for the
existing packages to be marked stable by their
architecture maintainers.

Description

Arc Riley discovered that Py2Play uses Python pickles to send objects
over a peer-to-peer game network, and that clients accept without
restriction the objects and code sent by peers.

Impact

A remote attacker participating in a Py2Play-powered game can send
malicious Python pickles, resulting in the execution of arbitrary
Python code on the targeted game client.

Workaround

There is no known workaround at this time.

Resolution

The Py2Play package has been hard-masked prior to complete removal from
Portage, and current users are advised to unmerge the package:

# emerge --unmerge  dev-python/py2play

References

[ 1 ] CAN-2005-2875
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2875

Availability

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-200509-09.xml

Concerns?

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
[email protected] or alternatively, you may file a bug at
http://bugs.gentoo.org.

License

Copyright 2005 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.0

Related

nessus 2
openvas 4
osv 1
cve 1
gentoo 1
github 1
debian 2
ubuntucve 1
nessus
nessus
Debian DSA-856-1 : py2play - design error
2005-10-11 00:00:00
GLSA-200509-09 : Py2Play: Remote execution of arbitrary Python code
2005-09-17 00:00:00
openvas
openvas
Gentoo Security Advisory GLSA 200509-09 (py2play)
2008-09-24 00:00:00
Gentoo Security Advisory GLSA 200509-09 (py2play)
2008-09-24 00:00:00
Debian Security Advisory DSA 856-1 (py2play)
2008-01-17 00:00:00
osv
osv
Py2Play Unpickles Untrusted Objects
2022-05-01 02:12:26
cve
cve
CVE-2005-2875
2005-09-13 23:03:00
gentoo
gentoo
Py2Play: Remote execution of arbitrary Python code
2005-09-17 00:00:00
github
github
Py2Play Unpickles Untrusted Objects
2022-05-01 02:12:26
debian
debian
[SECURITY] [DSA 856-1] New py2play packages fix arbitrary code execution
2005-10-10 06:21:05
[SECURITY] [DSA 856-1] New py2play packages fix arbitrary code execution
2005-10-10 06:21:05
ubuntucve
ubuntucve
CVE-2005-2875
2005-09-13 00:00:00
JSON
Related for SECURITYVULNS:DOC:9755
nessus2openvas4osv1cve1gentoo1github1debian2ubuntucve1