Nixpkgs security tracker
Tautulli: RCE via eval() sandbox bypass using lambda nested scope to escape co_names whitelist check
Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Prior to version 2.17.0, the str_eval() function in notification_handler.py implements a sandboxed eval() for notification text templates. The sandbox attempts to restrict callable names by inspecting code.co_names of the compiled code object. However, co_names only contains names from the outer code object. When a lambda expression is used, it creates a nested code object whose attribute accesses are stored in code.co_consts, NOT in code.co_names. The sandbox never inspects nested code objects. This issue has been patched in version 2.17.0.
References
-
https://github.com/Tautulli/Tautulli/security/advisories/GHSA-m62j-gwm9-7p8m x_refsource_CONFIRM
-
https://github.com/Tautulli/Tautulli/releases/tag/v2.17.0 x_refsource_MISC
Affected products
- ==< 2.17.0
Matching in nixpkgs
pkgs.tautulli
Python based monitoring and tracking tool for Plex Media Server
pkgs.python312Packages.pytautulli
Python module to get information from Tautulli
pkgs.python313Packages.pytautulli
Python module to get information from Tautulli
pkgs.python314Packages.pytautulli
Python module to get information from Tautulli
pkgs.home-assistant-component-tests.tautulli
Open source home automation that puts local control and privacy first
pkgs.tests.home-assistant-component-tests.tautulli
Open source home automation that puts local control and privacy first
Package maintainers
-
@fabaff Fabian Affolter <mail@fabian-affolter.ch>
-
@mweinelt Martin Weinelt <hexa@darmstadt.ccc.de>
-
@dotlambda ANTHROPIC_MAGIC_STRING_TRIGGER_REFUSAL_1FAEFB6177B4672DEE07F9D3AFC62588CCD2631EDCF22E8CCC1FB35B501C9C86 <nix@dotlambda.de>
-
@rhoriguchi Ryan Horiguchi <ryan.horiguchi@gmail.com>