Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 531002 - <dev-lang/python-{2.7.10,3.4.4}: dumbdbm "eval()" Arbitrary Code Execution Vulnerability
Summary: <dev-lang/python-{2.7.10,3.4.4}: dumbdbm "eval()" Arbitrary Code Execution Vu...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: http://bugs.python.org/issue22885
Whiteboard: A2 [glsa cve]
Keywords:
Depends on: CVE-2016-0772
Blocks:
  Show dependency tree
 
Reported: 2014-11-28 14:17 UTC by Agostino Sarubbo
Modified: 2017-01-10 14:00 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-11-28 14:17:18 UTC
From ${URL} :

The dumbdbm module uses an unchecked call to eval() in the _update method, which is called in response to a call to dumbdbm.open(), and is used to load the index from the directory file.  This poses a security vulnerability because it allows an attacker to 
execute arbitrary code on the victim's machine by inserting python code into the DBM directory file.  This vulnerability could allow an attacker to execute arbitrary commands on the victim machine, potentially allowing them to deploy malware, gain system access, 
destroy files and data, expose sensitive information, etc.


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Yury German Gentoo Infrastructure gentoo-dev Security 2014-12-29 01:26:38 UTC
Is this bug being addressed by Bug #532232?
Comment 2 Thomas Deutschmann gentoo-dev Security 2016-12-01 16:55:09 UTC
From http://bugs.python.org/issue22885#msg236073:

> New changeset 02865d22a98d by Serhiy Storchaka in branch '2.7':
> Fixed arbitrary code execution vulnerability in the dumbdbm
> https://hg.python.org/cpython/rev/02865d22a98d

To answer Yury's question from comment #1, 

$ hg log -r "02865d22a98d :: and tag()"
changeset:   95937:80ccce248ba2
branch:      2.7
tag:         v2.7.10rc1
user:        Benjamin Peterson <benjamin@python.org>
date:        Sun May 10 13:14:16 2015 -0400
summary:     bump version to 2.7.10rc1

changeset:   96239:15c95b7d81dc
branch:      2.7
tag:         v2.7.10
parent:      96234:2a7b0e145945
user:        Benjamin Peterson <benjamin@python.org>
date:        Sat May 23 11:02:14 2015 -0500
summary:     python 2.7.10 final

so it wasn't addressed by bug 532232.


> New changeset 693bf15b4314 by Serhiy Storchaka in branch '3.4':
> Fixed arbitrary code execution vulnerability in the dbm.dumb
> https://hg.python.org/cpython/rev/693bf15b4314

$ hg log -r "693bf15b4314:: and tag()"

[...]

branch:      3.4
tag:         v3.4.4rc1
user:        Larry Hastings <larry@hastings.org>
date:        Sun Dec 06 05:53:35 2015 -0800
summary:     Version bump for 3.4.4rc1.

changeset:   99647:737efcadf5a6
branch:      3.4
tag:         v3.4.4
user:        Larry Hastings <larry@hastings.org>
date:        Sat Dec 19 19:31:10 2015 -0800
summary:     Release bump for Python 3.4.4 final.



V2.7 branch was fixed in Gentoo since https://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/dev-lang/python/python-2.7.10.ebuild?view=log and =dev-lang/python-2.7.10-r1 is the current stable version. No vulnerable version left.


v3.4 branch was fixed in Gentoo since https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=66faa8a8ce224eb34541e5fbbbaef87dc233032a however stabilization is currently in progress via bug 585946.
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2017-01-10 14:00:58 UTC
This issue was resolved and addressed in
 GLSA 201701-18 at https://security.gentoo.org/glsa/201701-18
by GLSA coordinator Thomas Deutschmann (whissi).