Bug 1347130
| Summary: | Arbitrary code execution due to insecure loading of Python module(s) from CWD | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Dhiru Kholia <dkholia> |
| Component: | virt-who | Assignee: | Radek Novacek <rnovacek> |
| Status: | CLOSED ERRATA | QA Contact: | Eko <hsun> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 7.2 | CC: | ovasik |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | No Doc Update | |
| Doc Text: |
undefined
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-11-04 05:09:53 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1348410 | ||
This is fixed in latest upstream version (0.17) that will be part of upcoming RHEL-7.3. virt-who now uses entry_point instead of custom shell script for its /usr/bin/virt-who executable. Let's move this bug to modified so the QE team can verify that this problem is indeed fixed. verified in virt-who-0.17-5.el7.noarch.
1). create virtwho.py in PWD
# cat virtwho.py
print("boom!")
2). run virt-who command
# virt-who
2016-07-05 01:59:57,141 INFO: No configurations found, using libvirt as backend
2016-07-05 01:59:57,141 INFO: Using configuration "env/cmdline" ("libvirt" mode)
2016-07-05 01:59:57,142 INFO: Using reporter_id='hp-z220-12.qe.lab.eng.nay.redhat.com-14b12011609544bdb19af97d8c8032a9'
2016-07-05 01:59:57,172 INFO: Using libvirt url: ""
....
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-2387.html |
Description of problem: The virt-who script from the virt-who package tries to load the "virtwho.py" Python module from the current working directory (CWD). The virt-who-password utility from the same package is similarly affected. Version-Release number of selected component (if applicable): virt-who-0.14-9.el7.noarch Steps to Reproduce: $ cat > virtwho.py print("boom!") $ virt-who # invoke /usr/bin/virt-who script boom! Additional info: Upstream Fedora version virt-who-0.17-1.fc24.noarch is not affected by this. This bug is similar to https://bugzilla.redhat.com/show_bug.cgi?id=995060