Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 239560 (CVE-2008-4394)

Summary: sys-apps/portage < Insecure search path for python -c in ebuilds (CVE-2008-4394)
Product: Gentoo Security Reporter: Robert Buchholz (RETIRED) <rbu>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: major CC: dev-portage
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: A1 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 224925, 240304, 240722, 595028    
Description Flags patch that applies on top of
patch portage- to make work for none

Description Robert Buchholz (RETIRED) gentoo-dev 2008-10-04 16:15:09 UTC
solar pointed out in bug 224925 that python -c will prepend . to sys.path, loading imports from the CWD.
If an attacker can place a crafted python module (such as in a world-writable directory, and entice the root user to run 'emerge' from that directory, he would gain root privileges if emerge calls ebuild functions that do not have their CWD sanitized (which is the case for all pkg_ functions).

The following list of ebuilds is vulerable to these attacks:

app-text/txt2tags calls python -c in pkg_setup, should use 
dev-python/twisted calls python -c in update_plugin_cache in pkg_postinst 
and pkg_postrm
net-mail/fetchmail calls python -c in pkg_postinst, should use 
sys-apps/portage calls python -c in compile_all_python_bytecodes from 
app-admin/sabayon calls python_mod_exists from pkg_setup
dev-python/pythong calls python_mod_exists/python_tkinter_exists from 
app-editors/leo calls python_tkinter_exists from pkg_setup
games-board/pysol calls python_tkinter_exists from pkg_setup
media-gfx/skencil calls python_tkinter_exists from pkg_setup
media-sound/lilycomp calls python_tkinter_exists from pkg_setup
net-im/msnlib calls python_tkinter_exists from pkg_setup
sci-misc/gato calls python_tkinter_exists from pkg_setup
sci-visualization/mayavi calls python_tkinter_exists from pkg_setup

twisted.eclass calls python -c in update_plugin_cache from 
twisted_pkg_postrm and twisted_pkg_postinst
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2008-10-04 16:34:05 UTC
zmedico agreed that this issue is best fixed in Portage itself, as that would also secure ebuilds in overlays, and future mistakes in trusting 'python -c'.

Portage 2.2_rc10 tries to sanitize the CWD (cd $PORTAGE_BUILDDIR) before calling pkg_ functions in ebuilds, but fails when the directory does not exist (such as in the pkg_setup() function). Zac, we need to make sure the cd call has a target that is guaranteed to exist, and emerge dies if it fails.

Steps to reproduce:

rbu@peanut /tmp $ cat
open("/tmp/owned", 'w').write('yes')
rbu@peanut /tmp $ ls -la owned
ls: cannot access owned: No such file or directory
-rw-r--r-- 1 rbu rbu 37 2008-10-04 18:29

In a root shell, run:
peanut tmp # USE=tk emerge app-text/txt2tags

And then we see:
rbu@peanut /tmp $ ls -la owned
-rw-r--r-- 1 root root  3 2008-10-04 18:29 owned
-rw-r--r-- 1 rbu  rbu  38 2008-10-04 18:29
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2008-10-04 16:37:44 UTC
General TODOs for this issue:

1) Prepare a patch to
2) Prepare a portage- release (non-public), that we then test with arch
   security liaisons on this bug.
3) Push out a GLSA and the stable Portage release.
4) Contact other package manager maintainers about their (~arch) PMs
5) Include CWD preconditions in EAPI
Comment 3 Zac Medico gentoo-dev 2008-10-05 07:21:07 UTC
Created attachment 167252 [details, diff] patch that applies on top of

The first and last hunks (in and are for this bug:

    Fixes for Bug #239560:
    * When ensuring sane $PWD in, die if the `cd "$PORTAGE_BUILDDIR"`
      call fails.
    * In, create $PORTAGE_BUILDDIR for the "fetch" phase too since
      it might be necessary to call pkg_nofetch.

The patch also includes some patches for a few other bugs that should also get fixed since we're doing a bump:

    Bug #239471 - Handle InvalidDependString from portdbapi.getfetchlist()
    inside search.output(). (trunk r11602)

    Bug #239006 - In FakeVartree._aux_get_wrapper(), fall back to vdb metadata
    if the live ebuild's EAPI is unsupported. (trunk r11600)

    Bug #222091 - Filter out any instances of the \1 character from variable
    values since this character multiplies each time that the environment
    is saved (strange bash behavior). This can eventually result in
    mysterious 'Argument list too long' errors from programs that have
    huge strings of \1 characters in their environment. (trunk r11485)
Comment 4 Zac Medico gentoo-dev 2008-10-05 07:43:41 UTC
Created attachment 167255 [details, diff]
patch portage- to make work for
Comment 5 Robert Buchholz (RETIRED) gentoo-dev 2008-10-05 14:06:31 UTC
Arch Security Liaisons, please test the attached ebuild and report it stable on this bug:
Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"

CC'ing current Liaisons:
   alpha : yoswink, armin76
   amd64 : keytoaster, tester
    hppa : jer
     ppc : dertobi123
   ppc64 : corsair
   sparc : fmccor
     x86 : maekke, armin76
Comment 6 Ferris McCormick (RETIRED) gentoo-dev 2008-10-05 17:05:25 UTC
Sparc looks good.  Patch installs cleanly to ebuild, ebuild cleanly installs the portage-, and it builds and installs as expected.  Resulting portage can install things, including itself.
Sun Oct  5 16:49:20 2008 >>> sys-apps/portage-
Sun Oct  5 16:54:34 2008 >>> sys-apps/portage-
Comment 7 Jeroen Roovers (RETIRED) gentoo-dev 2008-10-05 18:27:56 UTC
Comment 8 Markus Rothe (RETIRED) gentoo-dev 2008-10-06 07:25:54 UTC
looks good on ppc64
Comment 9 Raúl Porcel (RETIRED) gentoo-dev 2008-10-06 08:24:11 UTC
Looks okay on alpha/arm/ia64/sh/x86
Comment 10 Tobias Heinlein (RETIRED) gentoo-dev 2008-10-06 17:04:14 UTC
Okay on amd64.
Mon Oct  6 18:59:22 2008 >>> sys-apps/portage-
Mon Oct  6 18:59:57 2008 >>> sys-apps/portage-
Comment 11 Tobias Scherbaum (RETIRED) gentoo-dev 2008-10-07 18:02:24 UTC
looks good on ppc, too
Comment 12 Zac Medico gentoo-dev 2008-10-08 16:24:47 UTC
I think everyone's accounted for. Shall I go ahead and add portage- to the tree, directly with stable keywords?
Comment 13 Robert Buchholz (RETIRED) gentoo-dev 2008-10-08 16:32:59 UTC
please give us a day to finish glsa drafting and review
Comment 14 Robert Buchholz (RETIRED) gentoo-dev 2008-10-09 17:49:01 UTC
public, this is GLSA-200810-02
Comment 15 Zac Medico gentoo-dev 2008-10-09 21:57:07 UTC
Now this released in both and 2.2_rc12.
Comment 16 Robert Buchholz (RETIRED) gentoo-dev 2008-10-09 22:20:52 UTC
Thanks, closing then.