Low severityNVD Advisory· Published Jan 28, 2014· Updated Apr 29, 2026
CVE-2014-1624
CVE-2014-1624
Description
Race condition in the xdg.BaseDirectory.get_runtime_dir function in python-xdg 0.25 allows local users to overwrite arbitrary files by pre-creating /tmp/pyxdg-runtime-dir-fallback-victim to point to a victim-owned location, then replacing it with a symlink to an attacker-controlled location once the get_runtime_dir function is called.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
pyxdgPyPI | < 0.26 | 0.26 |
Affected products
1- cpe:2.3:a:python:pyxdg:0.25:*:*:*:*:*:*:*
Patches
1bd999c1c3fe7Improve security of get_runtime_dir(strict=False)
1 file changed · +23 −8
xdg/BaseDirectory.py+23 −8 modified@@ -25,7 +25,7 @@ Note: see the rox.Options module for a higher-level API for managing options. """ -import os +import os, stat _home = os.path.expanduser('~') xdg_data_home = os.environ.get('XDG_DATA_HOME') or \ @@ -131,15 +131,30 @@ def get_runtime_dir(strict=True): import getpass fallback = '/tmp/pyxdg-runtime-dir-fallback-' + getpass.getuser() + create = False + try: - os.mkdir(fallback, 0o700) + # This must be a real directory, not a symlink, so attackers can't + # point it elsewhere. So we use lstat to check it. + st = os.lstat(fallback) except OSError as e: import errno - if e.errno == errno.EEXIST: - # Already exists - set 700 permissions again. - import stat - os.chmod(fallback, stat.S_IRUSR|stat.S_IWUSR|stat.S_IXUSR) - else: # pragma: no cover + if e.errno == errno.ENOENT: + create = True + else: raise - + else: + # The fallback must be a directory + if not stat.S_ISDIR(st.st_mode): + os.unlink(fallback) + create = True + # Must be owned by the user and not accessible by anyone else + elif (st.st_uid != os.getuid()) \ + or (st.st_mode & (stat.S_IRWXG | stat.S_IRWXO)): + os.rmdir(fallback) + create = True + + if create: + os.mkdir(fallback, 0o700) + return fallback
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
10- github.com/advisories/GHSA-7372-q459-jxhrghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2014-1624ghsaADVISORY
- bugs.debian.org/cgi-bin/bugreport.cginvdWEB
- www.openwall.com/lists/oss-security/2014/01/21/3nvdWEB
- www.openwall.com/lists/oss-security/2014/01/21/4nvdWEB
- exchange.xforce.ibmcloud.com/vulnerabilities/90618nvdWEB
- github.com/pypa/advisory-database/tree/main/vulns/pyxdg/PYSEC-2014-95.yamlghsaWEB
- github.com/takluyver/pyxdg/commit/bd999c1c3fe7ee5f30ede2cf704cf03e400347b4ghsaWEB
- web.archive.org/web/20200227194825/http://www.securityfocus.com/bid/65042ghsaWEB
- www.securityfocus.com/bid/65042nvd
News mentions
0No linked articles in our index yet.