Insecure Temporary File in horovod/horovod

Valid

Reported on

Jan 8th 2022


Description

horovod package is using the deprecated function tempfile.mktemp() which is not secure. Because a different process may create a file with this name in the time between the call to mktemp() and the subsequent attempt to create the file by the first process.

Impact

Availability will get affected because of this vulnerability.

Remediation

Use mkstemp() instead of tempfile.mktemp()

Occurrences

We are processing your report and will contact the horovod team within 24 hours. 5 months ago
We created a GitHub Issue asking the maintainers to create a SECURITY.md 5 months ago
We have contacted a member of the horovod team and are waiting to hear back 4 months ago
We have sent a follow up to the horovod team. We will try again in 7 days. 4 months ago
We have sent a second follow up to the horovod team. We will try again in 10 days. 4 months ago
Enrico Minack
4 months ago

Maintainer


This has been fixed. Please do not send any further messages regarding this.

horovod/horovod maintainer
4 months ago

Maintainer


A fix to address the above vulnerability has been merged into master branch.

Srikanth Prathi
4 months ago

Researcher


Hi Enrico, Thank you for fixing the reported vulnerability. Can you please approve the same here. Thanks again.

Enrico Minack validated this vulnerability 4 months ago
Srikanth Prathi has been awarded the disclosure bounty
The fix bounty is now up for grabs
Jamie Slome
4 months ago

Admin


Are we able to confirm the fix against this report?

Enrico Minack
4 months ago

Maintainer


Has not been released.

Srikanth Prathi
2 months ago

Researcher


Hi Enrico, is the fix got released? Can this report be made public?

Enrico Minack confirmed that a fix has been merged on b96eca 2 months ago
The fix bounty has been dropped
js_run.py#L129 has been validated
to join this conversation