Severity: high: CVSSv3 score: 7.0 Packages: PyInstaller (Windows) Affected versions:  <= 3.5 Patched versions: 3.6, available at https://pypi.org/project/PyInstaller/ CVE identifier: CVE-2019-16784 Impact *Local Privilege Escalation *in all *Windows software frozen by PyInstaller* in "onefile" mode, caused by insecure directory permissions of sys._MEIPATH. While PyInstaller itself was not vulnerable, *all Windows software frozen by PyInstaller in “onefile” mode is vulnerable.* The vulnerability is present only on Windows and in this particular case: If a /software frozen by PyInstaller in "onefile" mode/**is launched by a (privileged) user who has /his/her "TempPath" resolving to a world writable directory/. This is the case e.g. if the software is launched as a service or as a scheduled task using a system account (in which case TempPath will default to C:\Windows\Temp). In order to be exploitable the software has to be (re)started after the attacker has launched the exploit program. So for a service launched at startup, a service restart is needed (e.g. after a crash or an upgrade). While PyInstaller itself was not vulnerable, all Windows software frozen by PyInstaller in "onefile" mode is vulnerable. CVSSv3 score: 7.0 (High) CVSSv3 vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H Patches The problem is patched in commits 42a67148b3bdf9 (fixed code) <https://github.com/pyinstaller/pyinstaller/commit/42a67148b3bdf9211fda8499fd...> and be948cf09547 (recompiled bootloaders) <https://github.com/pyinstaller/pyinstaller/commit/be948cf0954707671aa499da17...>. Users should upgrade to PyInstaller version 3.6 and rebuild their software. The new version is available at https://pypi.org/project/PyInstaller/ Workarounds There is no known workaround: Users using PyInstaller to freeze their Windows software using "onefile" mode should upgrade PyInstaller and rebuild their software. The new version is available at https://pypi.org/project/PyInstaller/ Credits This vulnerability was discovered and reported by Farid AYOUJIL (@faridtsl), David HA, Florent LE NIGER and Yann GASCUEL (@lnv42) from Alter Solutions (@AlterSolutions) and fixed in collaboration with Hartmut Goebel (@htgoebel, maintainer of PyInstaller). Funding Development PyInstaller is in urgent need of funding to make future security fixes happen, see <https://github.com/pyinstaller/pyinstaller/issues/4404> for details. -- Schönen Gruß Hartmut Goebel Dipl.-Informatiker (univ), CISSP, CSSLP, ISO 27001 Lead Implementer Information Security Management, Security Governance, Secure Software Development Goebel Consult, Landshut http://www.goebel-consult.de Blog: https://www.goe-con.de/blog/e-mails-weiterhin-verschlusseln Kolumne: https://www.goe-con.de/hartmut-goebel/cissp-gefluester/2010-11-it-sicherheit...