Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 239560 (CVE-2008-4394) - sys-apps/portage <2.1.4.5 Insecure search path for python -c in ebuilds (CVE-2008-4394)
Summary: sys-apps/portage <2.1.4.5 Insecure search path for python -c in ebuilds (CVE-...
Status: RESOLVED FIXED
Alias: CVE-2008-4394
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A1 [glsa]
Keywords:
Depends on:
Blocks: 224925 240304 240722 595028
  Show dependency tree
 
Reported: 2008-10-04 16:15 UTC by Robert Buchholz (RETIRED)
Modified: 2016-09-24 19:48 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
2.1.4.5 patch that applies on top of 2.1.4.4 (portage-2.1.4.5.patch,3.28 KB, patch)
2008-10-05 07:21 UTC, Zac Medico
no flags Details | Diff
patch portage-2.1.4.4.ebuild to make work for 2.1.4.5 (portage-2.1.4.5.ebuild.patch,721 bytes, patch)
2008-10-05 07:43 UTC, Zac Medico
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2008-10-04 16:15:09 UTC
solar pointed out in bug 224925 that python -c will prepend . to sys.path, loading imports from the CWD.
If an attacker can place a crafted python module (such as tkinter.py) in a world-writable directory, and entice the root user to run 'emerge' from that directory, he would gain root privileges if emerge calls ebuild functions that do not have their CWD sanitized (which is the case for all pkg_ functions).

The following list of ebuilds is vulerable to these attacks:

app-text/txt2tags calls python -c in pkg_setup, should use 
python_mod_exists
dev-python/twisted calls python -c in update_plugin_cache in pkg_postinst 
and pkg_postrm
net-mail/fetchmail calls python -c in pkg_postinst, should use 
python_mod_exists
sys-apps/portage calls python -c in compile_all_python_bytecodes from 
pkg_postinst
app-admin/sabayon calls python_mod_exists from pkg_setup
dev-python/pythong calls python_mod_exists/python_tkinter_exists from 
pkg_setup
app-editors/leo calls python_tkinter_exists from pkg_setup
games-board/pysol calls python_tkinter_exists from pkg_setup
media-gfx/skencil calls python_tkinter_exists from pkg_setup
media-sound/lilycomp calls python_tkinter_exists from pkg_setup
net-im/msnlib calls python_tkinter_exists from pkg_setup
sci-misc/gato calls python_tkinter_exists from pkg_setup
sci-visualization/mayavi calls python_tkinter_exists from pkg_setup

twisted.eclass calls python -c in update_plugin_cache from 
twisted_pkg_postrm and twisted_pkg_postinst
affects:
 dev-python/twisted-conch
 dev-python/twisted-flow
 dev-python/twisted-lore
 dev-python/twisted-mail
 dev-python/twisted-names
 dev-python/twisted-news
 dev-python/twisted-pair
 dev-python/twisted-runner
 dev-python/twisted-web
 dev-python/twisted-words
 dev-python/twisted-xish
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2008-10-04 16:34:05 UTC
zmedico agreed that this issue is best fixed in Portage itself, as that would also secure ebuilds in overlays, and future mistakes in trusting 'python -c'.

Portage 2.2_rc10 tries to sanitize the CWD (cd $PORTAGE_BUILDDIR) before calling pkg_ functions in ebuilds, but fails when the directory does not exist (such as in the pkg_setup() function). Zac, we need to make sure the cd call has a target that is guaranteed to exist, and emerge dies if it fails.


Steps to reproduce:

rbu@peanut /tmp $ cat _tkinter.py
open("/tmp/owned", 'w').write('yes')
rbu@peanut /tmp $ ls -la _tkinter.py owned
ls: cannot access owned: No such file or directory
-rw-r--r-- 1 rbu rbu 37 2008-10-04 18:29 _tkinter.py

In a root shell, run:
peanut tmp # USE=tk emerge app-text/txt2tags

And then we see:
rbu@peanut /tmp $ ls -la _tkinter.py owned
-rw-r--r-- 1 root root  3 2008-10-04 18:29 owned
-rw-r--r-- 1 rbu  rbu  38 2008-10-04 18:29 _tkinter.py
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2008-10-04 16:37:44 UTC
General TODOs for this issue:

1) Prepare a patch to ebuild.sh
2) Prepare a portage-2.1.4.5 release (non-public), that we then test with arch
   security liaisons on this bug.
3) Push out a GLSA and the stable Portage release.
4) Contact other package manager maintainers about their (~arch) PMs
5) Include CWD preconditions in EAPI
Comment 3 Zac Medico gentoo-dev 2008-10-05 07:21:07 UTC
Created attachment 167252 [details, diff]
2.1.4.5 patch that applies on top of 2.1.4.4

The first and last hunks (in ebuild.sh and portage.py) are for this bug:

    Fixes for Bug #239560:
    * When ensuring sane $PWD in ebuild.sh, die if the `cd "$PORTAGE_BUILDDIR"`
      call fails.
    * In portage.py, create $PORTAGE_BUILDDIR for the "fetch" phase too since
      it might be necessary to call pkg_nofetch.

The patch also includes some patches for a few other bugs that should also get fixed since we're doing a bump:

    Bug #239471 - Handle InvalidDependString from portdbapi.getfetchlist()
    inside search.output(). (trunk r11602)

    Bug #239006 - In FakeVartree._aux_get_wrapper(), fall back to vdb metadata
    if the live ebuild's EAPI is unsupported. (trunk r11600)

    Bug #222091 - Filter out any instances of the \1 character from variable
    values since this character multiplies each time that the environment
    is saved (strange bash behavior). This can eventually result in
    mysterious 'Argument list too long' errors from programs that have
    huge strings of \1 characters in their environment. (trunk r11485)
Comment 4 Zac Medico gentoo-dev 2008-10-05 07:43:41 UTC
Created attachment 167255 [details, diff]
patch portage-2.1.4.4.ebuild to make work for 2.1.4.5
Comment 5 Robert Buchholz (RETIRED) gentoo-dev 2008-10-05 14:06:31 UTC
Arch Security Liaisons, please test the attached ebuild and report it stable on this bug:
=sys-apps/portage-2.1.4.5
Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"

CC'ing current Liaisons:
   alpha : yoswink, armin76
   amd64 : keytoaster, tester
    hppa : jer
     ppc : dertobi123
   ppc64 : corsair
   sparc : fmccor
     x86 : maekke, armin76
Comment 6 Ferris McCormick (RETIRED) gentoo-dev 2008-10-05 17:05:25 UTC
Sparc looks good.  Patch installs cleanly to ebuild, ebuild cleanly installs the portage-2.1.4.5.patch, and it builds and installs as expected.  Resulting portage can install things, including itself.
==========================
Sun Oct  5 16:49:20 2008 >>> sys-apps/portage-2.1.4.5
Sun Oct  5 16:54:34 2008 >>> sys-apps/portage-2.1.4.5
Comment 7 Jeroen Roovers gentoo-dev 2008-10-05 18:27:56 UTC
HPPA is OK.
Comment 8 Markus Rothe (RETIRED) gentoo-dev 2008-10-06 07:25:54 UTC
looks good on ppc64
Comment 9 Raúl Porcel (RETIRED) gentoo-dev 2008-10-06 08:24:11 UTC
Looks okay on alpha/arm/ia64/sh/x86
Comment 10 Tobias Heinlein (RETIRED) gentoo-dev 2008-10-06 17:04:14 UTC
Okay on amd64.
==============
Mon Oct  6 18:59:22 2008 >>> sys-apps/portage-2.1.4.5
Mon Oct  6 18:59:57 2008 >>> sys-apps/portage-2.1.4.5
Comment 11 Tobias Scherbaum (RETIRED) gentoo-dev 2008-10-07 18:02:24 UTC
looks good on ppc, too
Comment 12 Zac Medico gentoo-dev 2008-10-08 16:24:47 UTC
I think everyone's accounted for. Shall I go ahead and add portage-2.1.4.5 to the tree, directly with stable keywords?
Comment 13 Robert Buchholz (RETIRED) gentoo-dev 2008-10-08 16:32:59 UTC
please give us a day to finish glsa drafting and review
Comment 14 Robert Buchholz (RETIRED) gentoo-dev 2008-10-09 17:49:01 UTC
public, this is GLSA-200810-02
Comment 15 Zac Medico gentoo-dev 2008-10-09 21:57:07 UTC
Now this released in both 2.1.4.5 and 2.2_rc12.
Comment 16 Robert Buchholz (RETIRED) gentoo-dev 2008-10-09 22:20:52 UTC
Thanks, closing then.