Red Hat Bugzilla – Full Text Bug Listing
|Summary:||CVE-2013-1633 python-setuptools: easy_install insecure installation mechanism|
|Product:||[Other] Security Response||Reporter:||Vincent Danen <vdanen>|
|Component:||vulnerability||Assignee:||Red Hat Product Security <security-response-team>|
|Status:||NEW ---||QA Contact:|
|Version:||unspecified||CC:||a.badger, bgollahe, bhu, bkabrda, bleanhar, briang, ccoleman, cpelland, dajohnso, dmcphers, drieden, esammons, fschwarz, iboverma, jberan, jdetiber, jeckersb, jialiu, jkurik, jross, kseifried, lmeyer, matt, mcressma, mmaslano, mmccune, mmcgrath, morazi, mrg-program-list, mrunge, pfrields, python-maint, smilner, vdanen, williams|
|Target Milestone:||---||Keywords:||Reopened, Security|
|Fixed In Version:||python-setuptools 0.7||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2014-06-25 03:04:58 EDT||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Bug Depends On:||994772, 994773, 994774, 996705, 996706, 996707, 997556, 1008791, 1165361|
Description Vincent Danen 2013-08-06 12:32:11 EDT
Common Vulnerabilities and Exposures assigned an identifier CVE-2013-1633 to the following vulnerability: Name: CVE-2013-1633 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1633 Assigned: 20130206 Reference: http://www.reddit.com/r/Python/comments/17rfh7/warning_dont_use_pip_in_an_untrusted_network_a/ Reference: https://pypi.python.org/pypi/setuptools/0.9.8#changes easy_install in setuptools before 0.7 uses HTTP to retrieve packages from the PyPI repository, and does not perform integrity checks on package contents, which allows man-in-the-middle attackers to execute arbitrary code via a crafted response to the default use of the product.
Comment 1 Toshio Ernie Kuratomi 2013-08-06 14:03:09 EDT
Will also affect python-virtualenv which currently bundles setuptools.
Comment 2 Toshio Ernie Kuratomi 2013-08-06 14:19:19 EDT
Question -- is this something that we should be pushing the fixed package back into older Fedora releases? The new setuptools is mostly compatible although we've had to fix a few packages for use with it. Currently, I know of: * python-RPi-GPIO which uses a technique for bootstrapping its build system that relied on distribute. The solution was to get rid of the bootstrap code as it's not needed if we have system packages for python-setuptools. This could apply to other packages as well. * python-zc-buildout. Fixing this required updating to a newer version of buildout. Should not be a generalized problem for other packages.
Comment 3 Vincent Danen 2013-08-07 21:23:12 EDT
Define "older Fedora releases". We only support Fedora 18 and 19 right now. Is it not possible to update this in those two versions? I'll also file tracking bugs, sorry I forgot to do that.
Comment 4 Vincent Danen 2013-08-07 21:29:00 EDT
Created python-virtualenv tracking bugs for this issue: Affects: fedora-all [bug 994773] Affects: epel-all [bug 994774]
Comment 5 Vincent Danen 2013-08-07 21:29:32 EDT
Created python-setuptools tracking bugs for this issue: Affects: fedora-all [bug 994772]
Comment 6 Bohuslav "Slavek" Kabrda 2013-08-08 01:33:52 EDT
Vincent, does this also affect python-setuptools as shipped in RHEL 5 and RHEL 6? If so, would you open the bugs for them, too?
Comment 7 Toshio Ernie Kuratomi 2013-08-08 02:28:06 EDT
@slavek: It will affect RHEL5 and RHEL6. The feature (using https and checking the server's certificate) wasn't implemented until setuptools-0.7. RHEL6 is on setuptools-0.6.x (really, the distribute fork of setuptools). RHEL5 is older than that. If you're backporting or looking at the minimum version to upgrade to, also be aware that there is a CVE in the code that implements the feature so you'll also need to backport the changes that went into 0.9.5: https://pypi.python.org/pypi/setuptools/0.9.8#id115 @vincent: Yeah, Fedora rawhide (F20) has a Fedora Change Plan to make the upgrade from 0.6.x to 0.7+: https://fedoraproject.org/wiki/Changes/Python_setuptools_0.7 All previous versions of Fedora are on the 0.6.x release series. It is possible to upgrade and as I said in Comment2, in Rawhide it so far has only caused a few known incompatibilities. However, there are widespread changes to the codebase due to the nature of the upstream work and in Rawhide we have the freedom to upgrade other packages that depend heavily on setuptools so it would be nice to avoid upgrading. One option is if slavek is going to backport the changes needed to the RHEL package, we could consume that same patch in Fedora 17 and 18 instead of upgrading to the latest version.
Comment 8 Vincent Danen 2013-08-08 17:33:44 EDT
There was no plan to do an erratum at this time for RHEL5 and 6, however if you want to help Toshio (or vice versa) but together something that will work on Fedora so we can analyze any potential impact, that would be extremely helpful. There's probably a dozen packages that I can see in RHEL6 that depend on python-setuptools, and none in RHEL5 so the impact there should be minimal. For reference, for RHEL6 I see: PyOpenGL babel python-Coherence python-coverage python-formencode python-louie python-nose python-paver python-pygments python-repoze-who python-paste-script Do you think that helping deal with Fedora would be a reasonable way forward? The work wouldn't be in vain.
Comment 14 Fedora Update System 2013-09-04 14:26:02 EDT
python-virtualenv-1.10.1-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
Comment 15 Fedora Update System 2013-09-04 21:26:32 EDT
python-virtualenv-1.10.1-1.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
Comment 19 Toshio Ernie Kuratomi 2014-03-10 11:30:03 EDT
Another compatibility note: the easy_install commandline tool changed in 0.7.x to install zipped eggs instead of unzipped eggs by default. This caused a small change in packaging guidelines (adding the -Z CLI switch to restore the old behaviour) in corner cases. Not really known how much this would affect end user's use of the easy_install command.
Comment 23 Kurt Seifried 2014-06-30 19:36:47 EDT
Statement: Red Hat OpenShift Enterprise 1.2 is now in Production 1 Phase of the support and maintenance life cycle. This has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat OpenShift Enterprise Life Cycle: https://access.redhat.com/site/support/policy/updates/openshift.