Bugzilla (bugzilla.redhat.com) will be under maintenance for infrastructure upgrades and will not be available on July 31st between 12:30 AM - 05:30 AM UTC. We appreciate your understanding and patience. You can follow status.redhat.com for details.
Bug 1347130 - Arbitrary code execution due to insecure loading of Python module(s) from CWD
Summary: Arbitrary code execution due to insecure loading of Python module(s) from CWD
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: virt-who
Version: 7.2
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Radek Novacek
QA Contact: Eko
URL:
Whiteboard:
Depends On:
Blocks: 1348410
TreeView+ depends on / blocked
 
Reported: 2016-06-16 06:45 UTC by Dhiru Kholia
Modified: 2016-12-01 00:36 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
undefined
Clone Of:
Environment:
Last Closed: 2016-11-04 05:09:53 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2016:2387 0 normal SHIPPED_LIVE virt-who bug fix and enhancement update 2016-11-03 13:53:39 UTC

Description Dhiru Kholia 2016-06-16 06:45:38 UTC
Description of problem:

The virt-who script from the virt-who package tries to load the "virtwho.py" Python module from the current working directory (CWD). The virt-who-password utility from the same package is similarly affected.

Version-Release number of selected component (if applicable):

virt-who-0.14-9.el7.noarch

Steps to Reproduce:

$ cat > virtwho.py
print("boom!")

$ virt-who  # invoke /usr/bin/virt-who script
boom!

Additional info:

Upstream Fedora version virt-who-0.17-1.fc24.noarch is not affected by this.

This bug is similar to https://bugzilla.redhat.com/show_bug.cgi?id=995060

Comment 1 Radek Novacek 2016-06-16 07:10:18 UTC
This is fixed in latest upstream version (0.17) that will be part of upcoming RHEL-7.3. virt-who now uses entry_point instead of custom shell script for its /usr/bin/virt-who executable.

Let's move this bug to modified so the QE team can verify that this problem is indeed fixed.

Comment 3 Eko 2016-07-05 06:00:26 UTC
verified in virt-who-0.17-5.el7.noarch.

1). create virtwho.py in PWD
# cat virtwho.py 
print("boom!")

2). run virt-who command
# virt-who
2016-07-05 01:59:57,141 INFO: No configurations found, using libvirt as backend
2016-07-05 01:59:57,141 INFO: Using configuration "env/cmdline" ("libvirt" mode)
2016-07-05 01:59:57,142 INFO: Using reporter_id='hp-z220-12.qe.lab.eng.nay.redhat.com-14b12011609544bdb19af97d8c8032a9'
2016-07-05 01:59:57,172 INFO: Using libvirt url: ""
....

Comment 5 errata-xmlrpc 2016-11-04 05:09:53 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2387.html


Note You need to log in before you can comment on or make changes to this bug.