Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 288361 - app-admin/python-updater: Potentially unsafe import (CVE requested)
Summary: app-admin/python-updater: Potentially unsafe import (CVE requested)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A1 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2009-10-09 19:58 UTC by Robert Buchholz (RETIRED)
Modified: 2010-09-22 20:36 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments
Updated python-updater (python-updater,18.21 KB, text/plain)
2009-12-26 18:15 UTC, Arfrever Frehtes Taifersar Arahesis (RETIRED)
no flags Details
Updated python-updater (python-updater,20.49 KB, text/plain)
2009-12-30 16:25 UTC, Arfrever Frehtes Taifersar Arahesis (RETIRED)
no flags Details
python-updater-0.7-r1.ebuild.patch (python-updater-0.7-r1.ebuild.patch,353 bytes, text/plain)
2010-01-03 23:11 UTC, Arfrever Frehtes Taifersar Arahesis (RETIRED)
no flags Details
Changes generated by sed (python-updater-0.7-fix_import.patch,1.22 KB, patch)
2010-01-04 11:14 UTC, Arfrever Frehtes Taifersar Arahesis (RETIRED)
no flags Details | Diff
python-updater-0.7-r1.ebuild.patch (python-updater-0.7-r1.ebuild.patch,732 bytes, patch)
2010-01-12 16:49 UTC, Arfrever Frehtes Taifersar Arahesis (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2009-10-09 19:58:02 UTC
** Please note that this issue is confidential and no information should be
disclosed until it is made public, see "Whiteboard" for a date **

python-updater since at least 0.5 and including 0.7 (old and new stable) are a bash script that calls:
  /usr/bin/python -c 'import portage'

This will include the current working directory in the module search path and can be exploited by a malicious user that triggers another user (typically root) to call "python-updater" from a directory containing a trojan horse python module.

The python call should include code to clean the cwd from sys.path. Please propose a patch and attach it to this bug. We would like to do prestable testing under embargo and coordinate a new python-updater release with a GLSA.
Comment 1 Arfrever Frehtes Taifersar Arahesis (RETIRED) gentoo-dev 2009-10-09 22:49:01 UTC
Firstly, this bug seems to be a duplicate of bug #224925.

Secondly, 'python -c "import sys; sys.path.remove(''); import portage"' can be used.

Thirdly, the get_portage_python() function seems to be a part of never finished support for Portage installed in site-packages directory. The output of this function is assigned to PORTAGE_PYTHON variable which is never used. There is also '[[ $? != 0 ]] && exit 1', so if 'portage' module wasn't found anywhere, then python-updater would exit. 'portage' module isn't installed in site-packages directory, so this code (get_portage_python() function, all assignments of PORTAGE_PYTHON variable and '[[ $? != 0 ]] && exit 1') could be safely removed.

Zac, are there any plans to install 'portage' module in site-packages directory in future versions of Portage?
Comment 2 Zac Medico gentoo-dev 2009-10-09 22:56:00 UTC
(In reply to comment #1)
> Zac, are there any plans to install 'portage' module in site-packages directory
> in future versions of Portage?

No, because /usr/lib/portage works smoothest for python upgrades (python3 even).
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2009-11-16 15:08:00 UTC
Arfrever, can you please attach a patch against python-updater 0.7 to this bug so we can prepare stabling of this version here?
Comment 4 Arfrever Frehtes Taifersar Arahesis (RETIRED) gentoo-dev 2009-11-22 21:24:46 UTC
(In reply to comment #3)

Yes, I will create attachment. I was very busy recently.
Comment 5 Arfrever Frehtes Taifersar Arahesis (RETIRED) gentoo-dev 2009-12-26 18:15:38 UTC
Created attachment 214227 [details]
Updated python-updater

I'm attaching updated python-updater file, which will be included in app-admin/python-updater-0.8 probably without additional changes.
Comment 6 Arfrever Frehtes Taifersar Arahesis (RETIRED) gentoo-dev 2009-12-30 16:25:01 UTC
Created attachment 214636 [details]
Updated python-updater
Comment 7 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-12-31 14:07:08 UTC
Arch Security Liaisons, please test the attached file and report it stable on this bug.
Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"

CC'ing current Liaisons:
   alpha : armin76, klausman
   amd64 : keytoaster, chainsaw
    hppa : jer
     ppc : josejx, ranger
   ppc64 : josejx, ranger
   sparc : armin76, tcunha
     x86 : fauli, maekke

If you (esp. armin76, maekke) want to do any of your other arches as well, feel free to.
Comment 8 Christian Faulhammer (RETIRED) gentoo-dev 2009-12-31 16:03:44 UTC
Seems to do what it should on x86.
Comment 9 Jeroen Roovers gentoo-dev 2009-12-31 16:14:35 UTC
I get this and I don't get it:

elmer ~ # sh /keeps/gentoo/bugs/288361/python-updater.txt
 * Starting Python Updater [New main active Python version: 2.6]
/keeps/gentoo/bugs/288361/python-updater.txt: command substitution: line 530: syntax error near unexpected token `<'
/keeps/gentoo/bugs/288361/python-updater.txt: command substitution: line 530: `scanelf -qF "%F %n" < <(grep -E "^obj" "${content}" | cut -d" " -f2) | grep -E "( |,)${OLD_PYTHON_SHARED_LIBRARIES_REGEX}(,|$)")"'
 * No packages need to be reinstalled.
Comment 10 Jeroen Roovers gentoo-dev 2009-12-31 16:17:53 UTC
Also, the diff between stable 0.7 and the attached version is HUGE:

elmer ~ #  diff -u /usr/sbin/python-updater /keeps/gentoo/bugs/288361/python-updater.txt  | diffstat 
 python-updater.txt |  468 ++++++++++++++++++++++++++++++++++-------------------
 1 file changed, 306 insertions(+), 162 deletions(-)

Shouldn't you issue a version that branches out to simply fixes this security problem and /then/ focus on development again?
Comment 11 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-12-31 16:25:03 UTC
(In reply to comment #10)
> Shouldn't you issue a version that branches out to simply fixes this security
> problem and /then/ focus on development again?
> 

Yes. Arfrefer, please prepare another version.
Comment 12 Arfrever Frehtes Taifersar Arahesis (RETIRED) gentoo-dev 2009-12-31 20:22:29 UTC
(In reply to comment #9)

You probably have POSIXLY_CORRECT set in environment. `set -o posix` would also set it. You should disable it.
Comment 13 Jeroen Roovers gentoo-dev 2009-12-31 20:30:51 UTC
(In reply to comment #12)
> (In reply to comment #9)
> 
> You probably have POSIXLY_CORRECT set in environment. `set -o posix` would also
> set it. You should disable it.

No I don't. But I was running it through `sh '.

Marking it executable and running it without `sh ' prefixed makes the problem go away.

Still, I don't know how many 9999 users you have out there, but I still think it's safer to apply the security patches to the current stable.
Comment 14 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2010-01-03 21:11:20 UTC
(In reply to comment #13)
> Still, I don't know how many 9999 users you have out there, but I still think
> it's safer to apply the security patches to the current stable.
> 

Arfrefer, please provide the 0.7-r1 as discussed on IRC *immediately*.
Comment 15 Arfrever Frehtes Taifersar Arahesis (RETIRED) gentoo-dev 2010-01-03 23:11:33 UTC
Created attachment 215099 [details]
python-updater-0.7-r1.ebuild.patch
Comment 16 Arfrever Frehtes Taifersar Arahesis (RETIRED) gentoo-dev 2010-01-04 11:14:56 UTC
Created attachment 215151 [details, diff]
Changes generated by sed

For easier review, I'm attaching the patch containing changes generated by sed.
Comment 17 Jeroen Roovers gentoo-dev 2010-01-04 12:58:08 UTC
HPPA seems to be OK (and PPC too, josejx).
Comment 18 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2010-01-12 16:12:46 UTC
As stated in a #gentoo-security discussion, there are concerns raised by craig, and supported by Chainsaw, myself, and QA to the nature of the fix propagation method (sed), we expect an ebuild that uses the diff attached here and epatch.

I am postponing the CRD by seven days. Sorry, arch guys for the inconvenience. 
Comment 19 Arfrever Frehtes Taifersar Arahesis (RETIRED) gentoo-dev 2010-01-12 16:49:42 UTC
Created attachment 216245 [details, diff]
python-updater-0.7-r1.ebuild.patch

Each Gentoo developer should be able to imagine this patch.
Additional delaying seems to be unreasonable.
Comment 20 Arfrever Frehtes Taifersar Arahesis (RETIRED) gentoo-dev 2010-01-28 15:28:03 UTC
I'm planning to add app-admin/python-updater-0.7-r1 to the tree maybe tomorrow.
Comment 21 Arfrever Frehtes Taifersar Arahesis (RETIRED) gentoo-dev 2010-01-29 17:39:02 UTC
app-admin/python-updater-0.7-r1 is now in the tree. It's currently stable on hppa and ppc.
Comment 22 Christian Faulhammer (RETIRED) gentoo-dev 2010-02-01 22:02:38 UTC
x86 done
Comment 23 Jeroen Roovers gentoo-dev 2010-03-09 03:29:52 UTC
Wow, nothing happened for more than a month?
Comment 24 Joe Jezak (RETIRED) gentoo-dev 2010-03-09 22:50:38 UTC
I've marked it ppc64 stable as well.
Comment 25 Stefan Behte (RETIRED) gentoo-dev Security 2010-03-18 00:20:49 UTC
GLSA request filed.
Comment 26 Raúl Porcel (RETIRED) gentoo-dev 2010-07-18 11:15:22 UTC
0.8 stable, is this still needed? Or at least the arch liaisons need to be cc'ed?
Comment 27 Stefan Behte (RETIRED) gentoo-dev Security 2010-09-22 20:36:31 UTC
GLSA 201009-08, thanks everyone.