Bug 819592 - python-virtualenvwrapper security vulnerability
python-virtualenvwrapper security vulnerability
 Keywords: CLOSED ERRATA None Fedora Fedora python-virtualenvwrapper --- 17 noarch Linux unspecified medium --- Ralph Bean Fedora Extras Quality Assurance depends on / blocked

 Reported: 2012-05-07 16:15 UTC by Ralph Bean 2012-05-26 06:56 UTC (History) 2 users (show) aron rbean Bug Fix 2012-05-22 15:32:07 UTC Bug Ember-CSI Red Hat Enterprise Virtualization Manager Red Hat OpenStack Service Telemetry Framework

 Ralph Bean 2012-05-07 16:15:23 UTC Great to see that F17 will include virtualenvwrapper! However there's a security vulnerability that you might want to patch before release. The vulnerability allows an attacker to execute arbitrary commands as any user that loads virtualenvwrapper.sh. It's also easy to use the victim's privileges to gain root. The problem is in the tempfile handling. There's a trap in virtualenvwrapper_tempfile() which fires immediately when the function returns. (Trivia: On bash it fires because the function is in a command substitution; on zsh and ksh it fires because an EXIT trap runs on return from a function.) The trap removes the temporary file that was just created by mktemp. The calling function doesn't notice the tempfile is gone and recreates it, then sources it into the shell. The attack inserts a new temporary file in the window between its removal and recreation. The new file is owned by the attacker but has permissions 666 so virtualenvwrapper.sh can write to it without errors. After virtualenvwrapper.sh finishes writing, the attacker appends additional commands to the file, which the victim then sources into their shell. It would be tricky timing, but it's relatively trivial to accomplish the attack with help from inotify. Doug Hellmann (cc'd) is planning an upstream release at end of week, but that won't make the F17 cutoff. In the meantime, the patch below is the minimal fix to plug the hole. Regards, Aron --- /usr/bin/virtualenvwrapper.sh.orig 2012-05-03 19:11:04.000000000 -0400 +++ /usr/bin/virtualenvwrapper.sh 2012-05-07 11:45:44.061357101 -0400 @@ -137,7 +137,6 @@ echo "ERROR: virtualenvwrapper could not create a temporary file name." 1>&2 return 1 fi - trap "\rm -f '$file' >/dev/null 2>&1" EXIT echo$file return 0 }  Fedora Update System 2012-05-07 16:18:27 UTC python-virtualenvwrapper-3.2-3.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/python-virtualenvwrapper-3.2-3.fc17  Fedora Update System 2012-05-07 16:27:59 UTC python-virtualenvwrapper-3.2-3.el6 has been submitted as an update for Fedora EPEL 6. https://admin.fedoraproject.org/updates/python-virtualenvwrapper-3.2-3.el6  Fedora Update System 2012-05-07 22:11:20 UTC Package python-virtualenvwrapper-3.2-3.el6: * should fix your issue, * was pushed to the Fedora EPEL 6 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=epel-testing python-virtualenvwrapper-3.2-3.el6' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-EPEL-2012-5808/python-virtualenvwrapper-3.2-3.el6 then log in and leave karma (feedback).  Fedora Update System 2012-05-22 15:32:07 UTC python-virtualenvwrapper-3.2-3.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.  Fedora Update System 2012-05-26 06:56:21 UTC python-virtualenvwrapper-3.2-3.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.