Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 621884 (CVE-2017-2810)

Summary: <dev-python/tablib-0.12.1: Databook loading functionality allows command execution
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: openstack, vdupras
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugzilla.redhat.com/show_bug.cgi?id=1461297
Whiteboard: B2 [glsa+ cve]
Package list:
dev-python/tablib-0.12.1-r1 dev-python/cliff-tablib-1.1-r2 dev-python/odfpy-1.3.6
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2017-06-16 07:58:12 UTC
From ${URL} :

An exploitable vulnerability exists in the Databook loading functionality of Tablib. A yaml loaded Databook can execute arbitrary python commands resulting in command execution. An attacker can insert 
python into loaded yaml to trigger this vulnerability.

External References:

https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0307


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2017-06-16 08:21:25 UTC
CVE-2017-2810 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2810):
  An exploitable vulnerability exists in the Databook loading functionality of
  Tablib 0.11.4. A yaml loaded Databook can execute arbitrary python commands
  resulting in command execution. An attacker can insert python into loaded
  yaml to trigger this vulnerability.
Comment 2 Pacho Ramos gentoo-dev 2018-06-26 18:08:15 UTC
[master 1078dfe2d392] dev-python/tablib: Version bump
 2 files changed, 33 insertions(+)
 create mode 100644 dev-python/tablib/tablib-0.12.1.ebuild
Comment 3 Agostino Sarubbo gentoo-dev 2018-06-28 08:03:06 UTC
amd64 stable
Comment 4 Thomas Deutschmann gentoo-dev Security 2018-07-01 21:51:56 UTC
x86 cannot stabilize due to bug 659790.
Comment 5 Larry the Git Cow gentoo-dev 2018-08-07 15:55:53 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2ff4a3ffcca07f8148c57cc86a8f159e3bc43a17

commit 2ff4a3ffcca07f8148c57cc86a8f159e3bc43a17
Author:     Virgil Dupras <vdupras@gentoo.org>
AuthorDate: 2018-08-07 15:55:12 +0000
Commit:     Virgil Dupras <vdupras@gentoo.org>
CommitDate: 2018-08-07 15:55:12 +0000

    dev-python/tablib: fix broken package
    
    * Dependencies were both incomplete and spurious
    * Fix tests which were failing for many different reasons
    
    Bug: https://bugs.gentoo.org/659790
    Bug: https://bugs.gentoo.org/621884
    Package-Manager: Portage-2.3.44, Repoman-2.3.10

 .../tablib/files/tablib-0.12.1-no-ujson.patch      | 16 ++++++++
 dev-python/tablib/tablib-0.12.1-r1.ebuild          | 45 ++++++++++++++++++++++
 2 files changed, 61 insertions(+)
Comment 6 Virgil Dupras gentoo-dev 2018-08-07 15:59:04 UTC
As outlined in bug 659790, fixing tests for this package implied adding dev-python/odfpy to dependencies. Refreshing package list and re-CC-ing amd64.
Comment 7 Stabilization helper bot gentoo-dev 2018-08-07 16:59:23 UTC
An automated check of this bug failed - repoman reported dependency errors (10 lines truncated): 

> dependency.bad dev-python/cliff-tablib/cliff-tablib-1.1-r1.ebuild: RDEPEND: x86(default/linux/x86/17.0) ['dev-python/tablib[python_targets_python2_7(-)?,python_targets_python3_4(-)?,python_targets_python3_5(-)?,python_targets_python3_6(-)?,-python_single_target_python2_7(-),-python_single_target_python3_4(-),-python_single_target_python3_5(-),-python_single_target_python3_6(-)]']
> dependency.bad dev-python/cliff-tablib/cliff-tablib-1.1-r1.ebuild: RDEPEND: x86(default/linux/x86/17.0/desktop) ['dev-python/tablib[python_targets_python2_7(-)?,python_targets_python3_4(-)?,python_targets_python3_5(-)?,python_targets_python3_6(-)?,-python_single_target_python2_7(-),-python_single_target_python3_4(-),-python_single_target_python3_5(-),-python_single_target_python3_6(-)]']
> dependency.bad dev-python/cliff-tablib/cliff-tablib-1.1-r1.ebuild: RDEPEND: x86(default/linux/x86/17.0/desktop/gnome) ['dev-python/tablib[python_targets_python2_7(-)?,python_targets_python3_4(-)?,python_targets_python3_5(-)?,python_targets_python3_6(-)?,-python_single_target_python2_7(-),-python_single_target_python3_4(-),-python_single_target_python3_5(-),-python_single_target_python3_6(-)]']
Comment 8 Virgil Dupras gentoo-dev 2018-08-24 13:06:23 UTC
No longer depends on bug 659790. Stabilization process can resume.
Comment 9 Agostino Sarubbo gentoo-dev 2018-08-28 12:52:47 UTC
amd64 stable
Comment 10 Thomas Deutschmann gentoo-dev Security 2018-09-09 22:50:23 UTC
x86 stable
Comment 11 Thomas Deutschmann gentoo-dev Security 2018-09-09 22:53:53 UTC
@ maintainer(s): Please cleanup and drop <dev-python/tablib-0.12.1-r1!
Comment 12 Larry the Git Cow gentoo-dev 2018-09-09 23:05:34 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=29c9ca0f414cef6a265ca254a98f86cfa045c5e4

commit 29c9ca0f414cef6a265ca254a98f86cfa045c5e4
Author:     Virgil Dupras <vdupras@gentoo.org>
AuthorDate: 2018-09-09 23:05:22 +0000
Commit:     Virgil Dupras <vdupras@gentoo.org>
CommitDate: 2018-09-09 23:05:22 +0000

    dev-python/tablib: remove old and vulnerable
    
    Bug: https://bugs.gentoo.org/621884
    Package-Manager: Portage-2.3.49, Repoman-2.3.10

 dev-python/tablib/Manifest             |  1 -
 dev-python/tablib/tablib-0.11.2.ebuild | 28 ----------------------------
 dev-python/tablib/tablib-0.12.1.ebuild | 32 --------------------------------
 3 files changed, 61 deletions(-)
Comment 13 Virgil Dupras gentoo-dev 2018-09-09 23:06:40 UTC
Done.
Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2018-11-27 02:03:38 UTC
This issue was resolved and addressed in
 GLSA 201811-18 at https://security.gentoo.org/glsa/201811-18
by GLSA coordinator Aaron Bauman (b-man).