531002 – <dev-lang/python-{2.7.10,3.4.4}: dumbdbm "eval()" Arbitrary Code Execution Vulnerability

Bug 531002 - <dev-lang/python-{2.7.10,3.4.4}: dumbdbm "eval()" Arbitrary Code Execution Vulnerability

Summary: <dev-lang/python-{2.7.10,3.4.4}: dumbdbm "eval()" Arbitrary Code Execution Vu...

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal major (vote)
Assignee:	Gentoo Security

URL:	http://bugs.python.org/issue22885
Whiteboard:	A2 [glsa cve]
Keywords:

Depends on:	CVE-2016-0772
Blocks:
	Show dependency tree

Reported:	2014-11-28 14:17 UTC by Agostino Sarubbo
Modified:	2017-01-10 14:00 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Agostino Sarubbo gentoo-dev

2014-11-28 14:17:18 UTC

From ${URL} :

The dumbdbm module uses an unchecked call to eval() in the _update method, which is called in response to a call to dumbdbm.open(), and is used to load the index from the directory file.  This poses a security vulnerability because it allows an attacker to 
execute arbitrary code on the victim's machine by inserting python code into the DBM directory file.  This vulnerability could allow an attacker to execute arbitrary commands on the victim machine, potentially allowing them to deploy malware, gain system access, 
destroy files and data, expose sensitive information, etc.


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.

Comment 1 Yury German Gentoo Infrastructure

2014-12-29 01:26:38 UTC

Is this bug being addressed by Bug #532232?

Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev

2016-12-01 16:55:09 UTC

From http://bugs.python.org/issue22885#msg236073:

> New changeset 02865d22a98d by Serhiy Storchaka in branch '2.7':
> Fixed arbitrary code execution vulnerability in the dumbdbm
> https://hg.python.org/cpython/rev/02865d22a98d

To answer Yury's question from comment #1, 

$ hg log -r "02865d22a98d :: and tag()"
changeset:   95937:80ccce248ba2
branch:      2.7
tag:         v2.7.10rc1
user:        Benjamin Peterson <benjamin@python.org>
date:        Sun May 10 13:14:16 2015 -0400
summary:     bump version to 2.7.10rc1

changeset:   96239:15c95b7d81dc
branch:      2.7
tag:         v2.7.10
parent:      96234:2a7b0e145945
user:        Benjamin Peterson <benjamin@python.org>
date:        Sat May 23 11:02:14 2015 -0500
summary:     python 2.7.10 final

so it wasn't addressed by bug 532232.


> New changeset 693bf15b4314 by Serhiy Storchaka in branch '3.4':
> Fixed arbitrary code execution vulnerability in the dbm.dumb
> https://hg.python.org/cpython/rev/693bf15b4314

$ hg log -r "693bf15b4314:: and tag()"

[...]

branch:      3.4
tag:         v3.4.4rc1
user:        Larry Hastings <larry@hastings.org>
date:        Sun Dec 06 05:53:35 2015 -0800
summary:     Version bump for 3.4.4rc1.

changeset:   99647:737efcadf5a6
branch:      3.4
tag:         v3.4.4
user:        Larry Hastings <larry@hastings.org>
date:        Sat Dec 19 19:31:10 2015 -0800
summary:     Release bump for Python 3.4.4 final.



V2.7 branch was fixed in Gentoo since https://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/dev-lang/python/python-2.7.10.ebuild?view=log and =dev-lang/python-2.7.10-r1 is the current stable version. No vulnerable version left.


v3.4 branch was fixed in Gentoo since https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=66faa8a8ce224eb34541e5fbbbaef87dc233032a however stabilization is currently in progress via bug 585946.

Comment 3 GLSAMaker/CVETool Bot gentoo-dev

2017-01-10 14:00:58 UTC

This issue was resolved and addressed in
 GLSA 201701-18 at https://security.gentoo.org/glsa/201701-18
by GLSA coordinator Thomas Deutschmann (whissi).