Bug 621884 (CVE-2017-2810)

Summary:	<dev-python/tablib-0.12.1: Databook loading functionality allows command execution
Product:	Gentoo Security	Reporter:	Agostino Sarubbo <ago>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	normal	CC:	openstack, vdupras
Priority:	Normal	Flags:	stable-bot: sanity-check+
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://bugzilla.redhat.com/show_bug.cgi?id=1461297
Whiteboard:	B2 [glsa+ cve]
Package list:	dev-python/tablib-0.12.1-r1 dev-python/cliff-tablib-1.1-r2 dev-python/odfpy-1.3.6	Runtime testing required:	---

Description Agostino Sarubbo gentoo-dev

2017-06-16 07:58:12 UTC

From ${URL} :

An exploitable vulnerability exists in the Databook loading functionality of Tablib. A yaml loaded Databook can execute arbitrary python commands resulting in command execution. An attacker can insert 
python into loaded yaml to trigger this vulnerability.

External References:

https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0307


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.

Comment 1 GLSAMaker/CVETool Bot gentoo-dev

2017-06-16 08:21:25 UTC

CVE-2017-2810 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2810):
  An exploitable vulnerability exists in the Databook loading functionality of
  Tablib 0.11.4. A yaml loaded Databook can execute arbitrary python commands
  resulting in command execution. An attacker can insert python into loaded
  yaml to trigger this vulnerability.

Comment 2 Pacho Ramos gentoo-dev

2018-06-26 18:08:15 UTC

[master 1078dfe2d392] dev-python/tablib: Version bump
 2 files changed, 33 insertions(+)
 create mode 100644 dev-python/tablib/tablib-0.12.1.ebuild

Comment 3 Agostino Sarubbo gentoo-dev

2018-06-28 08:03:06 UTC

amd64 stable

Comment 4 Thomas Deutschmann (RETIRED) gentoo-dev

2018-07-01 21:51:56 UTC

x86 cannot stabilize due to bug 659790.

Comment 5 Larry the Git Cow gentoo-dev

2018-08-07 15:55:53 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2ff4a3ffcca07f8148c57cc86a8f159e3bc43a17

commit 2ff4a3ffcca07f8148c57cc86a8f159e3bc43a17
Author:     Virgil Dupras <vdupras@gentoo.org>
AuthorDate: 2018-08-07 15:55:12 +0000
Commit:     Virgil Dupras <vdupras@gentoo.org>
CommitDate: 2018-08-07 15:55:12 +0000

    dev-python/tablib: fix broken package
    
    * Dependencies were both incomplete and spurious
    * Fix tests which were failing for many different reasons
    
    Bug: https://bugs.gentoo.org/659790
    Bug: https://bugs.gentoo.org/621884
    Package-Manager: Portage-2.3.44, Repoman-2.3.10

 .../tablib/files/tablib-0.12.1-no-ujson.patch      | 16 ++++++++
 dev-python/tablib/tablib-0.12.1-r1.ebuild          | 45 ++++++++++++++++++++++
 2 files changed, 61 insertions(+)

Comment 6 Virgil Dupras (RETIRED) gentoo-dev

2018-08-07 15:59:04 UTC

As outlined in bug 659790, fixing tests for this package implied adding dev-python/odfpy to dependencies. Refreshing package list and re-CC-ing amd64.

Comment 7 Stabilization helper bot gentoo-dev

2018-08-07 16:59:23 UTC

An automated check of this bug failed - repoman reported dependency errors (10 lines truncated): 

> dependency.bad dev-python/cliff-tablib/cliff-tablib-1.1-r1.ebuild: RDEPEND: x86(default/linux/x86/17.0) ['dev-python/tablib[python_targets_python2_7(-)?,python_targets_python3_4(-)?,python_targets_python3_5(-)?,python_targets_python3_6(-)?,-python_single_target_python2_7(-),-python_single_target_python3_4(-),-python_single_target_python3_5(-),-python_single_target_python3_6(-)]']
> dependency.bad dev-python/cliff-tablib/cliff-tablib-1.1-r1.ebuild: RDEPEND: x86(default/linux/x86/17.0/desktop) ['dev-python/tablib[python_targets_python2_7(-)?,python_targets_python3_4(-)?,python_targets_python3_5(-)?,python_targets_python3_6(-)?,-python_single_target_python2_7(-),-python_single_target_python3_4(-),-python_single_target_python3_5(-),-python_single_target_python3_6(-)]']
> dependency.bad dev-python/cliff-tablib/cliff-tablib-1.1-r1.ebuild: RDEPEND: x86(default/linux/x86/17.0/desktop/gnome) ['dev-python/tablib[python_targets_python2_7(-)?,python_targets_python3_4(-)?,python_targets_python3_5(-)?,python_targets_python3_6(-)?,-python_single_target_python2_7(-),-python_single_target_python3_4(-),-python_single_target_python3_5(-),-python_single_target_python3_6(-)]']

Comment 8 Virgil Dupras (RETIRED) gentoo-dev

2018-08-24 13:06:23 UTC

No longer depends on bug 659790. Stabilization process can resume.

Comment 9 Agostino Sarubbo gentoo-dev

2018-08-28 12:52:47 UTC

amd64 stable

Comment 10 Thomas Deutschmann (RETIRED) gentoo-dev

2018-09-09 22:50:23 UTC

x86 stable

Comment 11 Thomas Deutschmann (RETIRED) gentoo-dev

2018-09-09 22:53:53 UTC

@ maintainer(s): Please cleanup and drop <dev-python/tablib-0.12.1-r1!

Comment 12 Larry the Git Cow gentoo-dev

2018-09-09 23:05:34 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=29c9ca0f414cef6a265ca254a98f86cfa045c5e4

commit 29c9ca0f414cef6a265ca254a98f86cfa045c5e4
Author:     Virgil Dupras <vdupras@gentoo.org>
AuthorDate: 2018-09-09 23:05:22 +0000
Commit:     Virgil Dupras <vdupras@gentoo.org>
CommitDate: 2018-09-09 23:05:22 +0000

    dev-python/tablib: remove old and vulnerable
    
    Bug: https://bugs.gentoo.org/621884
    Package-Manager: Portage-2.3.49, Repoman-2.3.10

 dev-python/tablib/Manifest             |  1 -
 dev-python/tablib/tablib-0.11.2.ebuild | 28 ----------------------------
 dev-python/tablib/tablib-0.12.1.ebuild | 32 --------------------------------
 3 files changed, 61 deletions(-)

Comment 13 Virgil Dupras (RETIRED) gentoo-dev

2018-09-09 23:06:40 UTC

Done.

Comment 14 GLSAMaker/CVETool Bot gentoo-dev

2018-11-27 02:03:38 UTC

This issue was resolved and addressed in
 GLSA 201811-18 at https://security.gentoo.org/glsa/201811-18
by GLSA coordinator Aaron Bauman (b-man).