Summary: | sys-apps/portage <2.1.4.5 Insecure search path for python -c in ebuilds (CVE-2008-4394) | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | Robert Buchholz (RETIRED) <rbu> | ||||||
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||||
Status: | RESOLVED FIXED | ||||||||
Severity: | major | CC: | dev-portage | ||||||
Priority: | High | ||||||||
Version: | unspecified | ||||||||
Hardware: | All | ||||||||
OS: | Linux | ||||||||
Whiteboard: | A1 [glsa] | ||||||||
Package list: | Runtime testing required: | --- | |||||||
Bug Depends on: | |||||||||
Bug Blocks: | 224925, 240304, 240722, 595028 | ||||||||
Attachments: |
|
Description
Robert Buchholz (RETIRED)
2008-10-04 16:15:09 UTC
zmedico agreed that this issue is best fixed in Portage itself, as that would also secure ebuilds in overlays, and future mistakes in trusting 'python -c'. Portage 2.2_rc10 tries to sanitize the CWD (cd $PORTAGE_BUILDDIR) before calling pkg_ functions in ebuilds, but fails when the directory does not exist (such as in the pkg_setup() function). Zac, we need to make sure the cd call has a target that is guaranteed to exist, and emerge dies if it fails. Steps to reproduce: rbu@peanut /tmp $ cat _tkinter.py open("/tmp/owned", 'w').write('yes') rbu@peanut /tmp $ ls -la _tkinter.py owned ls: cannot access owned: No such file or directory -rw-r--r-- 1 rbu rbu 37 2008-10-04 18:29 _tkinter.py In a root shell, run: peanut tmp # USE=tk emerge app-text/txt2tags And then we see: rbu@peanut /tmp $ ls -la _tkinter.py owned -rw-r--r-- 1 root root 3 2008-10-04 18:29 owned -rw-r--r-- 1 rbu rbu 38 2008-10-04 18:29 _tkinter.py General TODOs for this issue: 1) Prepare a patch to ebuild.sh 2) Prepare a portage-2.1.4.5 release (non-public), that we then test with arch security liaisons on this bug. 3) Push out a GLSA and the stable Portage release. 4) Contact other package manager maintainers about their (~arch) PMs 5) Include CWD preconditions in EAPI Created attachment 167252 [details, diff] 2.1.4.5 patch that applies on top of 2.1.4.4 The first and last hunks (in ebuild.sh and portage.py) are for this bug: Fixes for Bug #239560: * When ensuring sane $PWD in ebuild.sh, die if the `cd "$PORTAGE_BUILDDIR"` call fails. * In portage.py, create $PORTAGE_BUILDDIR for the "fetch" phase too since it might be necessary to call pkg_nofetch. The patch also includes some patches for a few other bugs that should also get fixed since we're doing a bump: Bug #239471 - Handle InvalidDependString from portdbapi.getfetchlist() inside search.output(). (trunk r11602) Bug #239006 - In FakeVartree._aux_get_wrapper(), fall back to vdb metadata if the live ebuild's EAPI is unsupported. (trunk r11600) Bug #222091 - Filter out any instances of the \1 character from variable values since this character multiplies each time that the environment is saved (strange bash behavior). This can eventually result in mysterious 'Argument list too long' errors from programs that have huge strings of \1 characters in their environment. (trunk r11485) Created attachment 167255 [details, diff]
patch portage-2.1.4.4.ebuild to make work for 2.1.4.5
Arch Security Liaisons, please test the attached ebuild and report it stable on this bug: =sys-apps/portage-2.1.4.5 Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86" CC'ing current Liaisons: alpha : yoswink, armin76 amd64 : keytoaster, tester hppa : jer ppc : dertobi123 ppc64 : corsair sparc : fmccor x86 : maekke, armin76 Sparc looks good. Patch installs cleanly to ebuild, ebuild cleanly installs the portage-2.1.4.5.patch, and it builds and installs as expected. Resulting portage can install things, including itself. ========================== Sun Oct 5 16:49:20 2008 >>> sys-apps/portage-2.1.4.5 Sun Oct 5 16:54:34 2008 >>> sys-apps/portage-2.1.4.5 HPPA is OK. looks good on ppc64 Looks okay on alpha/arm/ia64/sh/x86 Okay on amd64. ============== Mon Oct 6 18:59:22 2008 >>> sys-apps/portage-2.1.4.5 Mon Oct 6 18:59:57 2008 >>> sys-apps/portage-2.1.4.5 looks good on ppc, too I think everyone's accounted for. Shall I go ahead and add portage-2.1.4.5 to the tree, directly with stable keywords? please give us a day to finish glsa drafting and review public, this is GLSA-200810-02 Now this released in both 2.1.4.5 and 2.2_rc12. Thanks, closing then. |