Insecure Temporary File in horovod/horovod

Valid

Reported on

Jan 8th 2022


Description

horovod package is using the deprecated function tempfile.mktemp() which is not secure. Because a different process may create a file with this name in the time between the call to mktemp() and the subsequent attempt to create the file by the first process.

Impact

Availability will get affected because of this vulnerability.

Remediation

Use mkstemp() instead of tempfile.mktemp()

Occurrences

We are processing your report and will contact the horovod team within 24 hours. 2 years ago
We created a GitHub Issue asking the maintainers to create a SECURITY.md 2 years ago
We have contacted a member of the horovod team and are waiting to hear back 2 years ago
We have sent a follow up to the horovod team. We will try again in 4 days. 2 years ago
We have sent a second follow up to the horovod team. We will try again in 7 days. 2 years ago
Enrico Minack
2 years ago

Maintainer


This has been fixed. Please do not send any further messages regarding this.

horovod/horovod maintainer
2 years ago

Maintainer


A fix to address the above vulnerability has been merged into master branch.

Srikanth Prathi
2 years ago

Researcher


Hi Enrico, Thank you for fixing the reported vulnerability. Can you please approve the same here. Thanks again.

Enrico Minack validated this vulnerability 2 years ago
srikanthprathi has been awarded the disclosure bounty
The fix bounty is now up for grabs
Jamie Slome
2 years ago

Are we able to confirm the fix against this report?

Enrico Minack
2 years ago

Maintainer


Has not been released.

Srikanth Prathi
2 years ago

Researcher


Hi Enrico, is the fix got released? Can this report be made public?

Enrico Minack marked this as fixed in 0.24.0 with commit b96eca 2 years ago
The fix bounty has been dropped
js_run.py#L129 has been validated
to join this conversation