Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 521344 (CVE-2014-0485) - <sys-fs/s3ql-{1.19,2.11}: Possible remote code execution (CVE-2014-0485)
Summary: <sys-fs/s3ql-{1.19,2.11}: Possible remote code execution (CVE-2014-0485)
Status: RESOLVED FIXED
Alias: CVE-2014-0485
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://seclists.org/oss-sec/2014/q3/461
Whiteboard: ~2 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2014-08-28 09:01 UTC by Kristian Fiskerstrand
Modified: 2014-08-28 14:54 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Kristian Fiskerstrand gentoo-dev Security 2014-08-28 09:01:36 UTC
From ${URL}:
Nikolaus Rath discovered a vulnerability in s3ql which can result in
remote code execution, caused by the unsafe use of Python's pickle
serialization library.

The upstream commit is here:

  <https://bitbucket.org/nikratio/s3ql/commits/091ac263809b4e8>

(This issue was reported privately to Debian, the distros list was
notified, and this is the public heads-up required by list policy.)


###

From: https://bitbucket.org/nikratio/s3ql/commits/091ac263809b4e8 : 

SECURITY UPDATE for CVE-2014-0485: Do not blindly unpickle untrusted data.

The pickle protocol allows an attacker to execute arbitrary code by
providing an appropriately crafted pickle stream. To fix this vulnerability,
we prohibit the Unpickler to access any globals. This means that only
Python objects constructed from dict, list, tuple, str, unicode, int, float,
complex, bool and None can be unpickled. Luckily, this is enough to
reconstruct for the kind of data stored by S3QL.

Note that a pickle stream is still able to trigger code execution. However,
code execution is limited to calling the __call__, __new__ and __init__ methods
on instances of the above types (cf. http://hg.python.org/cpython/file/3.4/Lib/pickletools.py).
There is no way to access object attributes, so obtaining access to more
dangerous objects along the lines of http://nedbatchelder.com/blog/201302/finding_python_3_builtins.html
is not possible. While the pickle protocol may change in the future, but
Python 2.x is not going to add support for newer pickle protocols.
Comment 1 Tim Harder gentoo-dev 2014-08-28 14:17:45 UTC
Fixed versions are now in the tree.
Comment 2 Kristian Fiskerstrand gentoo-dev Security 2014-08-28 14:54:47 UTC
Thanks for swift response and cleanup. No stable versions, closing bug noglsa.