Bug 1348507
| Summary: | Arbitrary code execution due to insecure loading of Python module(s) from CWD | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Dhiru Kholia <dkholia> |
| Component: | python-qt5 | Assignee: | Than Ngo <than> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 25 | CC: | mhroncok, rdieter, than |
| Target Milestone: | --- | Keywords: | Reopened |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | python-qt5-5.8.1-4.fc26 python-qt5-5.7-7.fc25 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-07-31 06:25:21 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1348410 | ||
it's fixed in next build in rawhide What exactly fixed it? I'm looking at the git log and %changelog and cannot find anything relevant. Thanks Actually this has not been fixed:
<mock-chroot> sh-4.4# cat > PyQt5.py
print("boom!")
<mock-chroot> sh-4.4# pyuic5
boom!
...
<mock-chroot> sh-4.4# rpm -q python-qt5
python-qt5-5.9-2.fc27.x86_64
i just forgot to commit and build it into rawhide. The fix is included in the new python-qt5-5.9-3.fc27. https://koji.fedoraproject.org/koji/taskinfo?taskID=20766225 Sorry and thanks for your attention. I tried to edit the file accordingly:
<mock-chroot> sh-4.4# cat /usr/bin/pyuic5
#!/bin/sh
/usr/bin/python3 -Ic "import PyQt5.uic.pyuic" &> /dev/null
if [ $? -eq 0 ]; then
exec /usr/bin/python3 -Im PyQt5.uic.pyuic ${1+"$@"}
else
exec /usr/bin/python2 -Esm PyQt5.uic.pyuic ${1+"$@"}
fi
<mock-chroot> sh-4.4# pyuic5
boom!
/usr/bin/python2: No module named uic
Will actually try the package unce built to eliminate the fact that I've edited it wrong.
Indeed it is not fixed.
<mock-chroot> sh-4.4# cat > PyQt5.py
print("boom!")
<mock-chroot> sh-4.4# pyuic5
boom!
...
<mock-chroot> sh-4.4# rpm -q python-qt5
python-qt5-5.9-3.fc27.x86_64
It seems you are testing it with python2 which still doesn't work correctly as expected. With python3 it works fine for me. I fixed this issue for python2 in new python-qt5-5.9-4.fc27. Thanks for your testing and feedbacks! python-qt5-5.7-7.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-a14d76a140 python-qt5-5.8.1-4.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-0ee6ae8853 python-qt5-5.7-7.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-a14d76a140 python-qt5-5.8.1-4.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-0ee6ae8853 python-qt5-5.8.1-4.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report. python-qt5-5.7-7.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report. |
The /usr/bin/pyuic5 script from the python-qt5-devel package tries to load the "PyQt5" Python module from the current working directory (CWD). Steps to Reproduce: $ cat > PyQt5.py print("boom!") $ pyuic5 # run /usr/bin/pyuic5 boom! ... Additional info: This bug is very similar to https://bugzilla.redhat.com/show_bug.cgi?id=995060