Insecure Temporary File in huggingface/transformers

Valid

Reported on

Jan 5th 2023

Description

transformers package is using the deprecated function tempfile.mktemp() which is not secure. Because a different process may create a file with this name in the time between the call to mktemp() and the subsequent attempt to create the file by the first process.

Functions that create temporary file names (such as tempfile.mktemp()) are fundamentally insecure, as they do not ensure exclusive access to a file with the temporary name they return. The file name returned by these functions is guaranteed to be unique on creation but the file must be opened in a separate operation. There is no guarantee that the creation and open operations will happen atomically. This provides an opportunity for an attacker to interfere with the file before it is opened.

Use mkstemp() instead of tempfile.mktemp().

Impact

Availability will get affected because of this vulnerability.

We are processing your report and will contact the huggingface/transformers team within 24 hours. a year ago

ready-research submitted a

patch

a year ago

We have contacted a member of the huggingface/transformers team and are waiting to hear back a year ago

Sylvain Gugger validated this vulnerability 9 months ago

ready-research has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

ready-research

commented 6 months ago

Researcher

Hi @admin my patch is merged into the main branch. https://github.com/huggingface/transformers/pull/23372 https://github.com/huggingface/transformers/commit/80ca92470938bbcc348e2d9cf4734c7c25cb1c43

Accidentally I deleted my forked repository. Can you please suggest me a way to get a fixed bounty? Thanks.

Sylvain Gugger marked this as fixed in 4.30.0 with commit 80ca92 6 months ago

ready-research has been awarded the fix bounty

This vulnerability has been assigned a CVE

Sylvain Gugger published this vulnerability 6 months ago

Ben Harvie

commented 6 months ago

Admin

Hi ready-research, it looks like you've still be awarded the fix bounty - let me know if there's any other issues I can help with.

to join this conversation

We are processing your report and will contact the huggingface/transformers team within 24 hours. a year ago

ready-research submitted a

patch

a year ago

We have contacted a member of the huggingface/transformers team and are waiting to hear back a year ago

Sylvain Gugger validated this vulnerability 9 months ago

ready-research has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

ready-research

commented 6 months ago

Researcher

Hi @admin my patch is merged into the main branch. https://github.com/huggingface/transformers/pull/23372 https://github.com/huggingface/transformers/commit/80ca92470938bbcc348e2d9cf4734c7c25cb1c43

Accidentally I deleted my forked repository. Can you please suggest me a way to get a fixed bounty? Thanks.

Sylvain Gugger marked this as fixed in 4.30.0 with commit 80ca92 6 months ago

ready-research has been awarded the fix bounty

This vulnerability has been assigned a CVE

Sylvain Gugger published this vulnerability 6 months ago

Ben Harvie

commented 6 months ago

Admin

Hi ready-research, it looks like you've still be awarded the fix bounty - let me know if there's any other issues I can help with.

to join this conversation