Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 224925 - dev-lang/python privilege escalation (libs being loaded from CWD)
Summary: dev-lang/python privilege escalation (libs being loaded from CWD)
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High critical (vote)
Assignee: Gentoo Security
Whiteboard: A1? [upstream]
Depends on: CVE-2008-4394
  Show dependency tree
Reported: 2008-06-04 18:56 UTC by Christian Hoffmann (RETIRED)
Modified: 2008-10-09 17:53 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments (,588 bytes, text/plain)
2008-06-04 21:39 UTC, Ali Polatel (RETIRED)
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Christian Hoffmann (RETIRED) gentoo-dev 2008-06-04 18:56:12 UTC
solar discovered that Python tries to load python modules (.py, .pyc, .so) from the current working directory, which might be owned by non-trusted users.

This might lead to execution of arbitrary code in the context of the user running python.
Comment 1 Christian Hoffmann (RETIRED) gentoo-dev 2008-06-04 19:06:16 UTC
Setting whiteboard (security, please recheck!).

Python herd, please advise.
Portage team, I CC'ed you as something like "sudo emerge" is probably rather common, although not necessarily from untrusted directories. Not much to do for you probably.

A quick strace on a Debian system seems to show the same behavior, so this does not seem to be Gentoo-specific.

Comment 2 Ali Polatel (RETIRED) gentoo-dev 2008-06-04 21:39:25 UTC
Created attachment 155545 [details]

It's a bit late to dive in to cpython stuff right now - gmt+3 here :-] - but
here is a temporary workaround for those who are paranoid.
I'll try to come up with a fix tomorrow.
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2008-06-04 23:51:40 UTC
This behaviour is documented and specified in the Python docs, quote :

    A list of strings that specifies the search path for modules. Initialized from the environment variable PYTHONPATH, plus an installation-dependent default.

    As initialized upon program startup, the first item of this list, path[0], is the directory containing the script that was used to invoke the Python interpreter. If the script directory is not available (e.g. if the interpreter is invoked interactively or if the script is read from standard input), path[0] is the empty string, which directs Python to search modules in the current directory first. Notice that the script directory is inserted before the entries inserted as a result of PYTHONPATH.

Python uses is use the current working directory only in interactive sessions. In all scenarios where scripts are being called, the directory where the script resides is used. So this would only affect users who run python programs situated (or symlinked) in a world-writable directory. If you trust the person owning the file, and the directory is sticky, executing that file should be safe, and here is where the described problem kicks in. But still, this is a corner case that should definitely not affect out-of-the-box software in Gentoo.
Comment 4 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-07-06 17:14:23 UTC
so, what do we do here? close this as invalid since it's a documented behaviour?
Comment 5 Robert Buchholz (RETIRED) gentoo-dev 2008-07-06 21:29:27 UTC
Solar, do you want to follow up on the problem of it happening for "-c" ? Otherwise, I'll go with INVALID.
Comment 6 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-09-19 21:28:27 UTC
(In reply to comment #5)
> Solar, do you want to follow up on the problem of it happening for "-c" ?
> Otherwise, I'll go with INVALID.

Comment 7 solar (RETIRED) gentoo-dev 2008-09-19 21:52:38 UTC
Do what you wish I really don't have time to focus on this. I would say I dislike the described behavior of python.

The following ebuilds might need to be audited for the use of python -c directly

As well as these eclasses.
Comment 8 Robert Buchholz (RETIRED) gentoo-dev 2008-09-20 11:20:35 UTC
(In reply to comment #7)
> The following ebuilds might need to be audited for the use of python -c
> directly

Done. Let's discuss the details later.
Comment 9 Robert Buchholz (RETIRED) gentoo-dev 2008-10-09 17:53:03 UTC
The issues in our ebuilds have been solved by bug 224925, so I am going to close this bug.