Bug 819592

Summary: python-virtualenvwrapper security vulnerability
Product: [Fedora] Fedora Reporter: Ralph Bean <rbean>
Component: python-virtualenvwrapperAssignee: Ralph Bean <rbean>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 17CC: aron, rbean
Target Milestone: ---   
Target Release: ---   
Hardware: noarch   
OS: Linux   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-05-22 15:32:07 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Ralph Bean 2012-05-07 16:15:23 UTC
Great to see that F17 will include virtualenvwrapper!  However
there's a security vulnerability that you might want to patch
before release.  The vulnerability allows an attacker to execute
arbitrary commands as any user that loads virtualenvwrapper.sh.
It's also easy to use the victim's privileges to gain root.

The problem is in the tempfile handling. There's a trap in
virtualenvwrapper_tempfile() which fires immediately when the
function returns. (Trivia: On bash it fires because the function
is in a command substitution; on zsh and ksh it fires because an
EXIT trap runs on return from a function.) The trap removes the
temporary file that was just created by mktemp. The calling
function doesn't notice the tempfile is gone and recreates it,
then sources it into the shell.

The attack inserts a new temporary file in the window between its
removal and recreation. The new file is owned by the attacker but
has permissions 666 so virtualenvwrapper.sh can write to it
without errors. After virtualenvwrapper.sh finishes writing, the
attacker appends additional commands to the file, which the
victim then sources into their shell.

It would be tricky timing, but it's relatively trivial to
accomplish the attack with help from inotify.

Doug Hellmann (cc'd) is planning an upstream release at end of
week, but that won't make the F17 cutoff.  In the meantime, the
patch below is the minimal fix to plug the hole.


--- /usr/bin/virtualenvwrapper.sh.orig  2012-05-03 19:11:04.000000000 -0400
+++ /usr/bin/virtualenvwrapper.sh   2012-05-07 11:45:44.061357101 -0400
@@ -137,7 +137,6 @@
         echo "ERROR: virtualenvwrapper could not create a temporary file name." 1>&2
         return 1
-    trap "\rm -f '$file' >/dev/null 2>&1" EXIT
     echo $file
     return 0

Comment 1 Fedora Update System 2012-05-07 16:18:27 UTC
python-virtualenvwrapper-3.2-3.fc17 has been submitted as an update for Fedora 17.

Comment 2 Fedora Update System 2012-05-07 16:27:59 UTC
python-virtualenvwrapper-3.2-3.el6 has been submitted as an update for Fedora EPEL 6.

Comment 3 Fedora Update System 2012-05-07 22:11:20 UTC
Package python-virtualenvwrapper-3.2-3.el6:
* should fix your issue,
* was pushed to the Fedora EPEL 6 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=epel-testing python-virtualenvwrapper-3.2-3.el6'
as soon as you are able to.
Please go to the following url:
then log in and leave karma (feedback).

Comment 4 Fedora Update System 2012-05-22 15:32:07 UTC
python-virtualenvwrapper-3.2-3.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 5 Fedora Update System 2012-05-26 06:56:21 UTC
python-virtualenvwrapper-3.2-3.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.