pytest Temporary Directory Handling Privilege Escalation Vulnerability

A vulnerability in pytest in versions through 9.0.2 on UNIX systems allows local users to cause a denial of service or potentially escalate privileges. This issue arises because pytest creates temporary directories with predictable names based on the username, which can be exploited through symlink attacks and time-of-check to time-of-use (TOCTOU) race conditions. The vulnerability is exacerbated by the fact that certain Linux kernel protections are not enabled by default, leaving many environments at risk.

Impact

Exploitation of this vulnerability could lead to unauthorized privilege escalation or denial of service.

Reproduction

To reproduce this vulnerability, create a symlink in the `/tmp/pytest-of-{user}` directory, pointing to a location controlled by the attacker. Ensure that the `fs.protected_symlinks` sysctl is disabled. When pytest is run, it will follow the symlink and write to the attacker's chosen location, potentially leading to privilege escalation or denial of service.

Remediation

Users can create a secure temporary directory using `mktemp -d` and override the default temporary directory setting in pytest. Additionally, on Linux, it's advisable to enable the relevant sysctls to protect against symlink and hardlink attacks.