CVE-2023-49797
📋 TL;DR
This vulnerability allows an unprivileged attacker to trick a PyInstaller-built application running with elevated privileges into deleting arbitrary files they shouldn't have access to. The attack exploits a race condition or directory junction weakness during temporary file cleanup. Users are affected if they run PyInstaller applications containing matplotlib or win32com with elevated privileges and have unprotected temporary directories.
💻 Affected Systems
- PyInstaller
📦 What is this software?
Pyinstaller by Pyinstaller
⚠️ Risk & Real-World Impact
Worst Case
Privilege escalation leading to deletion of critical system files, potential system compromise, or denial of service.
Likely Case
Unauthorized deletion of user or application files, potentially causing data loss or application disruption.
If Mitigated
Limited to deletion of files within user's own permissions if applications run with standard privileges.
🎯 Exploit Status
Exploitation requires precise timing for race condition attacks (TOCTOU) or specific Python version for directory junction attacks.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: pyinstaller >= 5.13.1
Vendor Advisory: https://github.com/pyinstaller/pyinstaller/security/advisories/GHSA-9w2p-rh8c-v9g5
Restart Required: Yes
Instructions:
1. Upgrade PyInstaller: pip install --upgrade pyinstaller>=5.13.1
2. Rebuild affected applications with updated PyInstaller
3. Redeploy rebuilt applications
🔧 Temporary Workarounds
Secure temporary directories
allEnsure TEMP/TMP environment variables point to user-specific, protected directories
On Windows: set TMP=%USERPROFILE%\AppData\Local\Temp
On Linux: export TMP=/tmp/$(whoami)
Run with minimal privileges
allAvoid running PyInstaller applications with elevated/admin privileges
🧯 If You Can't Patch
- Run applications with standard user privileges only
- Ensure TEMP/TMP directories are user-specific and protected with proper permissions
🔍 How to Verify
Check if Vulnerable:
Check PyInstaller version: pip show pyinstaller | grep Version
Check if applications contain matplotlib or win32com and run with elevated privilegesCheck Version:
pip show pyinstaller | grep VersionVerify Fix Applied:
Verify PyInstaller version is 5.13.1 or higher: pip show pyinstaller | grep Version
Rebuild applications with updated version📡 Detection & Monitoring
Log Indicators:
- Unexpected file deletion events in system logs
- Access denied errors for privileged file operations
Network Indicators:
- None - local exploitation only
SIEM Query:
EventID 4663 (File deletion) with elevated privilege context on systems running PyInstaller applications🔗 References
- https://github.com/pyinstaller/pyinstaller/pull/7827
- https://github.com/pyinstaller/pyinstaller/security/advisories/GHSA-9w2p-rh8c-v9g5
- https://github.com/python/cpython/blob/0fb18b02c8ad56299d6a2910be0bab8ad601ef24/Lib/shutil.py#L623
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2K2XIQLEMZIKUQUOWNDYWTEWYQTKMAN7/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ISRWT34FAF23PUOLVZ7RVWBZMWPDR5U7/
- https://github.com/pyinstaller/pyinstaller/pull/7827
- https://github.com/pyinstaller/pyinstaller/security/advisories/GHSA-9w2p-rh8c-v9g5
- https://github.com/python/cpython/blob/0fb18b02c8ad56299d6a2910be0bab8ad601ef24/Lib/shutil.py#L623
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2K2XIQLEMZIKUQUOWNDYWTEWYQTKMAN7/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ISRWT34FAF23PUOLVZ7RVWBZMWPDR5U7/
