Insecure Temporary File in horovod/horovod

Valid

Reported on

Jan 8th 2022

Description

horovod package is using the deprecated function tempfile.mktemp() which is not secure. Because a different process may create a file with this name in the time between the call to mktemp() and the subsequent attempt to create the file by the first process.

Impact

Availability will get affected because of this vulnerability.

Remediation

Use mkstemp() instead of tempfile.mktemp()

Occurrences

We are processing your report and will contact the horovod team within 24 hours. a year ago
We created a GitHub Issue asking the maintainers to create a SECURITY.md a year ago
We have contacted a member of the horovod team and are waiting to hear back a year ago
We have sent a follow up to the horovod team. We will try again in 7 days. a year ago
We have sent a second follow up to the horovod team. We will try again in 10 days. a year ago
Enrico Minack
a year ago

This has been fixed. Please do not send any further messages regarding this.

horovod/horovod maintainer
a year ago

A fix to address the above vulnerability has been merged into master branch.

Srikanth Prathi
a year ago

Researcher

Hi Enrico, Thank you for fixing the reported vulnerability. Can you please approve the same here. Thanks again.

Enrico Minack validated this vulnerability a year ago
Srikanth Prathi has been awarded the disclosure bounty
The fix bounty is now up for grabs
Jamie Slome
a year ago

Admin

Are we able to confirm the fix against this report?

Enrico Minack
a year ago

Has not been released.

Srikanth Prathi
a year ago

Researcher

Hi Enrico, is the fix got released? Can this report be made public?

Enrico Minack marked this as fixed in 0.24.0 with commit b96eca a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
js_run.py#L129 has been validated
to join this conversation