Low severityNVD Advisory· Published Jan 28, 2014· Updated Apr 29, 2026

CVE-2014-1604

Description

The parser cache functionality in parsergenerator.py in RPLY (aka python-rply) before 0.7.1 allows local users to spoof cache data by pre-creating a temporary rply-*.json file with a predictable name.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
rplyPyPI	< 0.7.1	0.7.1

Affected products

Python (programming language)/Rply
cpe:2.3:a:python:rply:*:*:*:*:*:*:*:*
Range: <=0.7.0

Patches

fc9bbcd25b0b

The parser cache is now always handled in a per-user fashion.

https://github.com/alex/rplyAlex GaynorJan 17, 2014via ghsa

commit

1 file changed · +11 −4

rply/parsergenerator.py+11 −4 modified

@@ -2,6 +2,7 @@
 import hashlib
 import json
 import random
+import stat
 import string
 import sys
 import tempfile
@@ -124,17 +125,23 @@ def build(self):
 
         cache_file = os.path.join(
             tempfile.gettempdir(),
-            "rply-%s-%s-%s.json" % (self.VERSION, self.cache_id, self.compute_grammar_hash(g))
+            "rply-%s-%s-%s-%s.json" % (self.VERSION, os.getuid(), self.cache_id, self.compute_grammar_hash(g))
         )
         table = None
         if os.path.exists(cache_file):
             with open(cache_file) as f:
                 data = json.load(f)
-            if self.data_is_valid(g, data):
-                table = LRTable.from_cache(g, data)
+                stat_result = os.fstat(f.fileno())
+            if (
+                stat_result.st_uid == os.getuid() and
+                stat.S_IMODE(stat_result.st_mode) == 0o0600
+            ):
+                if self.data_is_valid(g, data):
+                    table = LRTable.from_cache(g, data)
         if table is None:
             table = LRTable.from_grammar(g)
-            with open(cache_file, "w") as f:
+            fd = os.open(cache_file, os.O_RDWR | os.O_CREAT | os.O_EXCL, 0o0600)
+            with os.fdopen(fd, "w") as f:
                 json.dump(self.serialize_table(table), f)
         if table.sr_conflicts:
             warnings.warn(

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

secunia.com/advisories/56429nvdVendor Advisory
github.com/advisories/GHSA-9gcf-pq99-rjw3ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2014-1604ghsaADVISORY
bugs.debian.org/cgi-bin/bugreport.cginvdWEB
www.openwall.com/lists/oss-security/2014/01/17/8nvdWEB
www.openwall.com/lists/oss-security/2014/01/18/4nvdWEB
exchange.xforce.ibmcloud.com/vulnerabilities/90593nvdWEB
github.com/alex/rply/commit/fc9bbcd25b0b4f09bbd6339f710ad24c129d5d7cnvdWEB
github.com/pypa/advisory-database/tree/main/vulns/rply/PYSEC-2014-17.yamlghsaWEB
www.osvdb.org/102202nvd

News mentions

No linked articles in our index yet.

cvss	0.065
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000