Bug 1220746 (CVE-2015-1326) - CVE-2015-1326 python-dbusmock: arbitrary code execution or file overwrite when templates are loaded from /tmp
Summary: CVE-2015-1326 python-dbusmock: arbitrary code execution or file overwrite whe...
Keywords:
Status: CLOSED UPSTREAM
Alias: CVE-2015-1326
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: All
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
: 1220744 1220745 (view as bug list)
Depends On: 1223312 1223313
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-05-12 10:39 UTC by Martin Pitt
Modified: 2019-09-29 13:32 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-06-08 02:41:07 UTC


Attachments (Terms of Use)
patch for building with Fedora-patched dbus-python (1.49 KB, patch)
2015-05-26 10:08 UTC, Martin Pitt
no flags Details | Diff
koji build log (33.40 KB, text/plain)
2017-07-26 16:04 UTC, Matěj Cepl
no flags Details


Links
System ID Private Priority Status Summary Last Updated
Launchpad 1453815 0 None None None Never

Description Martin Pitt 2015-05-12 10:39:26 UTC
Simon McVittie found a potentially exploitable bug with loading custom dbusmock templates: When a user is tricked into loading a template from a world-writable directory like /tmp, an attacker could run arbitrary code with the user's privileges by putting a crafted .pyc file into that directory.
    
Note that this is highly unlikely to actually appear in practice as custom dbusmock templates are usually shipped in project directories, not directly in world-writable directories. Hence we decided to immediately make this bug public and don't aim for a coordinated release date. So please make this bug public as well.

Details are on the linked Launchpad bug.

CVE-2015-1326
Upstream fix: https://github.com/martinpitt/python-dbusmock/commit/4e7d0df9093
This is included in the 0.15.1 upstream release: https://launchpad.net/python-dbusmock/trunk/0.15.1

Comment 1 Martin Pitt 2015-05-12 10:42:12 UTC
I initially tried to report this as a security bug, but bugzilla would just error 500 on me. Can we subscribe the Fedora/RedHat security team to an existing bug?

Comment 2 Matěj Cepl 2015-05-12 13:08:35 UTC
(In reply to Martin Pitt from comment #1)
> I initially tried to report this as a security bug, but bugzilla would just
> error 500 on me. Can we subscribe the Fedora/RedHat security team to an
> existing bug?

You probably have to have some higher level of mojo ;)

Comment 3 Matěj Cepl 2015-05-12 14:30:36 UTC
Trying the update to 0.15.1 on Fedora Rawhide and the running of tests seems to end in the disaster ... https://kojipkgs.fedoraproject.org//work/tasks/3162/9713162/build.log ... any idea?

Comment 4 Matěj Cepl 2015-05-12 14:32:13 UTC
The whole Koji build is http://koji.fedoraproject.org/koji/taskinfo?taskID=9713162

Comment 5 Martin Pitt 2015-05-12 14:50:50 UTC
The _dbus_class_table attribute comes from dbus-python. I haven't seen this error yet, we have version 1.2.0. According to https://kojipkgs.fedoraproject.org//work/tasks/3162/9713162/root.log that's the version you have as well..

Was that updated/patched recently in Fedora in a way which could explain this? When did the previous dbusmock build happen?

Comment 6 Matěj Cepl 2015-05-12 16:54:35 UTC
(In reply to Martin Pitt from comment #5)
> Was that updated/patched recently in Fedora in a way which could explain
> this? When did the previous dbusmock build happen?

That’s the problem … it seems that the last updated version is python-dbusmock-0.11.1-1.fc22, so I am trying to make a huge leap to 0.15.1, I know.

See http://koji.fedoraproject.org/koji/packageinfo?packageID=14852 for the history of builds in Fedora.

Comment 7 Martin Pitt 2015-05-13 05:55:40 UTC
OOI, does it build on F22 and/or F21 with an older dbus-python? You would probably just grab the single commit for those; but neither that commit nor the other recent changes in later versions don't change the Introspect() method (which accesses self._dbus_class_table), the last change there was in September 2012.

Comment 8 Vasyl Kaigorodov 2015-05-19 15:04:33 UTC
*** Bug 1220745 has been marked as a duplicate of this bug. ***

Comment 9 Vasyl Kaigorodov 2015-05-19 15:04:42 UTC
*** Bug 1220744 has been marked as a duplicate of this bug. ***

Comment 10 Vasyl Kaigorodov 2015-05-20 10:03:42 UTC
Created python-dbusmock tracking bugs for this issue:

Affects: fedora-all [bug 1223312]
Affects: epel-all [bug 1223313]

Comment 11 Martin Pitt 2015-05-26 10:01:57 UTC
Wrt. the build failure: dbus-python's Introspect() does assume that self._dbus_class_table exists; if it wouldn't, the original method would fail as well:

  http://cgit.freedesktop.org/dbus/dbus-python/tree/dbus/service.py#n756

the koji test failure happens in the overridden def Introspect() which augments self._dbus_class_table with the mocked methods. So this looks like a bug in your dbus-python package somehow?

Indeed I can reproduce the failure on a F21 live system. It seems that your dbus-python package has a patch which removes self._dbus_class_table:

  http://pkgs.fedoraproject.org/cgit/dbus-python.git/tree/object_manager.patch

Comment 12 Martin Pitt 2015-05-26 10:08:22 UTC
Created attachment 1029836 [details]
patch for building with Fedora-patched dbus-python

If you apply this patch to python-dbusmock, it will work correctly with the Fedora-patched dbus-python. I'm happy to apply this patch upstream once the dbus-python patch lands upstream as well.

Comment 13 Matěj Cepl 2017-07-26 16:04:00 UTC
Created attachment 1304880 [details]
koji build log

Not sure what to think about this problem.

Comment 14 Matěj Cepl 2017-07-26 16:04:41 UTC
And of course, I am sorry, that it took so long to get back to this bug.

Comment 15 Martin Pitt 2017-07-27 06:25:23 UTC
@Matej: The four timedated test failures were due to output format changes in systemd 215/220, and got fixed in https://github.com/martinpitt/python-dbusmock/commit/f1e2b19bba12fc and https://github.com/martinpitt/python-dbusmock/commit/3d09f9fc27a.

The two test_logind failures were due to output format changes in systemd 209 and got fixed in https://github.com/martinpitt/python-dbusmock/commit/39a807c5 .

But I suppose this is all moot now in recent Fedoras, which have recent upstream versions?

Comment 16 Matěj Cepl 2017-07-27 15:27:58 UTC
(In reply to Martin Pitt from comment #15)
> But I suppose this is all moot now in recent Fedoras, which have recent
> upstream versions?

Not in EPEL-7 and F25. With those patches, I have managed to built on both on these, so this bug will be finally closed eventually.

Comment 17 Product Security DevOps Team 2019-06-08 02:41:07 UTC
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.


Note You need to log in before you can comment on or make changes to this bug.