CVE-2014-1624

Name of the Vulnerable Software and Affected Versions python-xdg version 0.25

Description A race condition exists in the xdg.BaseDirectory.get runtime dir function, allowing local users to overwrite arbitrary files. This is achieved by pre-creating a file to point to a victim-owned location, then replacing it with a symlink to an attacker-controlled location once the get runtime dir function is called.

Recommendations For python-xdg version 0.25, consider disabling the xdg.BaseDirectory.get runtime dir function until a patch is available to prevent exploitation. Restrict access to the /tmp/pyxdg-runtime-dir-fallback-victim location to minimize the risk of arbitrary file overwrites. Avoid using the get runtime dir function in sensitive operations until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.