Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 84050

Summary: dev-python/pyzor: Modules are installed world-writable
Product: Gentoo Security Reporter: Romang <zataz>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED WORKSFORME    
Severity: major CC: python
Priority: High    
Version: unspecified   
Hardware: x86   
OS: Linux   
Whiteboard: B1? [] jaervosz
Package list:
Runtime testing required: ---

Description Romang 2005-03-04 00:18:44 UTC 
Hello,

I maybe find a security flaw on dev-python/pyzor 0.4.0-r1 under Gentoo.

pyzor is used by spamassassin to detect SPAM.

Here under something how trouble me :

[root@www pyzor]$ls -la /usr/lib/python2.3/site-packages/pyzor/__init__.pyc
-rw-rw-rw-  1 root root 28516 Jun 12  2004 /usr/lib/python2.3/site-packages/pyzor/__init__.pyc

and

[root@www pyzor]$ls -la /usr/lib/python2.3/site-packages/pyzor/client.pyc
-rw-rw-rw-  1 root root 39884 Jun 12  2004 /usr/lib/python2.3/site-packages/pyzor/client.pyc

This binaries could be overwriten by every local users, this could have effects on amavis, spamassassin. Maybe it is possible to execute arbitrary code or gain new privileges.

Regards

Reproducible: Always
Steps to Reproduce:
1.
2.
3.



Expected Results:  
Not world writable
Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-03-04 00:44:33 UTC 
Python please provide a fixed ebuild.
Comment 2 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-03-04 00:45:12 UTC 
Actually reassigning.....
Comment 3 Thierry Carrez (RETIRED) gentoo-dev 2005-03-06 02:13:56 UTC 
Python team: please confirm/fix
Comment 4 Bryan Østergaard (RETIRED) gentoo-dev 2005-03-07 03:30:05 UTC 
I can't seem to reproduce this problem. emerge pyzor doesn't generate the *.py[co] files in the current ebuilds and python sets the mode as 644 when writing the *.py[co] files.

Reporter, please remove the *.py[co] files and see if you can reproduce this problem.
Comment 5 Bryan Østergaard (RETIRED) gentoo-dev 2005-03-07 12:48:10 UTC 
The only way I'm able to reproduce this problem is if I set umask=000 before importing pyzor for the first time.. So this looks to be a local problem.

Romang, please make sure your umask is 022 and see if you can reproduce the problem. Just running umask should show the current umask.

To reproduce it, just rm the .pyc file, start python and 'import pyzor'.
Comment 6 Thierry Carrez (RETIRED) gentoo-dev 2005-03-08 01:16:43 UTC 
Reporter, please reopen if you can reproduce