|Summary:||dev-lang/python privilege escalation (libs being loaded from CWD)|
|Product:||Gentoo Security||Reporter:||Christian Hoffmann (RETIRED) <hoffie>|
|Component:||Vulnerabilities||Assignee:||Gentoo Security <security>|
|Severity:||critical||CC:||dev-portage, python, solar|
|Package list:||Runtime testing required:||---|
|Bug Depends on:||239560|
Description Christian Hoffmann (RETIRED) 2008-06-04 18:56:12 UTC
solar discovered that Python tries to load python modules (.py, .pyc, .so) from the current working directory, which might be owned by non-trusted users. This might lead to execution of arbitrary code in the context of the user running python.
Comment 1 Christian Hoffmann (RETIRED) 2008-06-04 19:06:16 UTC
Setting whiteboard (security, please recheck!). Python herd, please advise. Portage team, I CC'ed you as something like "sudo emerge" is probably rather common, although not necessarily from untrusted directories. Not much to do for you probably. A quick strace on a Debian system seems to show the same behavior, so this does not seem to be Gentoo-specific.
Comment 2 Ali Polatel (RETIRED) 2008-06-04 21:39:25 UTC
Created attachment 155545 [details] safe-import.py It's a bit late to dive in to cpython stuff right now - gmt+3 here :-] - but here is a temporary workaround for those who are paranoid. I'll try to come up with a fix tomorrow.
Comment 3 Robert Buchholz (RETIRED) 2008-06-04 23:51:40 UTC
This behaviour is documented and specified in the Python docs, quote http://docs.python.org/lib/module-sys.html : ======================================================================== path A list of strings that specifies the search path for modules. Initialized from the environment variable PYTHONPATH, plus an installation-dependent default. As initialized upon program startup, the first item of this list, path, is the directory containing the script that was used to invoke the Python interpreter. If the script directory is not available (e.g. if the interpreter is invoked interactively or if the script is read from standard input), path is the empty string, which directs Python to search modules in the current directory first. Notice that the script directory is inserted before the entries inserted as a result of PYTHONPATH. ======================================================================== Python uses is use the current working directory only in interactive sessions. In all scenarios where scripts are being called, the directory where the script resides is used. So this would only affect users who run python programs situated (or symlinked) in a world-writable directory. If you trust the person owning the file, and the directory is sticky, executing that file should be safe, and here is where the described problem kicks in. But still, this is a corner case that should definitely not affect out-of-the-box software in Gentoo.
Comment 4 Pierre-Yves Rofes (RETIRED) 2008-07-06 17:14:23 UTC
so, what do we do here? close this as invalid since it's a documented behaviour?
Comment 5 Robert Buchholz (RETIRED) 2008-07-06 21:29:27 UTC
Solar, do you want to follow up on the problem of it happening for "-c" ? Otherwise, I'll go with INVALID.
Comment 6 Pierre-Yves Rofes (RETIRED) 2008-09-19 21:28:27 UTC
(In reply to comment #5) > Solar, do you want to follow up on the problem of it happening for "-c" ? > Otherwise, I'll go with INVALID. > ping.
Comment 7 solar (RETIRED) 2008-09-19 21:52:38 UTC
Do what you wish I really don't have time to focus on this. I would say I dislike the described behavior of python. The following ebuilds might need to be audited for the use of python -c directly app-portage/metagen app-text/txt2tags dev-python/twisted dev-util/boa-constructor media-sound/ecasound net-mail/fetchmail net-misc/omniORB sys-apps/portage As well as these eclasses. eclass/python.eclass eclass/twisted.eclass
Comment 8 Robert Buchholz (RETIRED) 2008-09-20 11:20:35 UTC
(In reply to comment #7) > The following ebuilds might need to be audited for the use of python -c > directly Done. Let's discuss the details later.