Bug 961332 - python-setuptools: Weak integrity checks when loading resources extracted from zipped eggs
python-setuptools: Weak integrity checks when loading resources extracted fro...
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 1039775
Blocks: 961346
  Show dependency treegraph
 
Reported: 2013-05-09 08:28 EDT by Jan Lieskovsky
Modified: 2014-08-04 07:59 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Updated upstream patch (7.69 KB, patch)
2013-07-08 12:04 EDT, Jan Lieskovsky
no flags Details | Diff

  None (edit)
Description Jan Lieskovsky 2013-05-09 08:28:16 EDT
A security flaw was found in the way Python Setuptools, a collection of enhancements to the Python distutils module, that allows more easily to build and distribute Python packages, performed integrity checks when loading external resources, previously extracted from zipped Python Egg archives(formerly if the timestamp and file size of a particular resource expanded from the archive matched the original values, the resource was successfully loaded). A local attacker, with write permission into the Python's EGG cache (directory) could use this flaw to provide a specially-crafted resource (in expanded form) that, when loaded in an application requiring that resource to (be able to) run, would lead to arbitrary code execution with the privileges of the user running the application.

This issue was discovered by Grant Murphy and Dhiru Kholia from Red Hat Product Security Team.
Comment 6 Jan Lieskovsky 2013-05-13 05:16:44 EDT
Upstream bug report placeholder:
  https://bitbucket.org/tarek/distribute/issue/375

Proposed upstream patch:
  http://paste.jaraco.com/BBxKW
Comment 10 Kurt Seifried 2013-06-26 20:56:57 EDT
This affects many other programs:

http://searchcode.com/?q=PYTHON_EGG_CACHE+%2Ftmp&p=0
Comment 13 Jan Lieskovsky 2013-07-08 12:04:02 EDT
Created attachment 770558 [details]
Updated upstream patch

The command to recreate that diff from the setuptools repo is:

hg diff -r 48a15793cd73:e80b60445113

Expect this patch to be incorporated into Distribute 0.6.46 and Setuptools 0.7.5 and 0.8.
Comment 14 Bohuslav "Slavek" Kabrda 2013-07-09 01:58:23 EDT
Jan, will you be creating bugs for RHEL/Fedora for this in near future? Any e.t.a when this will be un-embargoed?
Comment 15 Jan Lieskovsky 2013-07-09 09:32:49 EDT
(In reply to Bohuslav "Slavek" Kabrda from comment #14)
> Jan, will you be creating bugs for RHEL/Fedora for this in near future? Any
> e.t.a when this will be un-embargoed?

Regarding embargo date - Bohuslav, can you possibly see c#11 of this bug (speaking about embargo date of this one being this Wednesday, 10-th). If not, you should check with your manager to add you to the private_comment group.

Regarding child bugs for Fedora - they will be created once this bug is public (during the Wednesday).

Regarding child bugs for RHEL - it hasn't been decided if we want to correct this immediately or defer the fix. We will create bugs once that's clear.
Comment 17 Vincent Danen 2013-12-09 19:18:45 EST
This has now been reported to oss-security:  http://seclists.org/oss-sec/2013/q4/438 (although it incorrectly does not note that a CVE has already been assigned).
Comment 18 Vincent Danen 2013-12-09 19:21:34 EST
Created python-setuptools tracking bugs for this issue:

Affects: fedora-all [bug 1039775]
Comment 20 Toshio Ernie Kuratomi 2013-12-09 20:59:59 EST
Note for people backporting this fix: The fix in c13 allows setuptools to traceback in some circumstance.  setuptools upstream made several more releases before getting all of the tracebacks worked out (see the end of the upstream bug report: https://bitbucket.org/tarek/distribute/issue/375 )
Comment 21 Toshio Ernie Kuratomi 2013-12-09 22:20:07 EST
Also note -- setuptools is bundled in a few other packages.  Someone will need to figure out what those packages are to make sure they are bundling a recent enough version. :-(  [and note that they may be bundling both setuptools and distribute.  Have to make sure that both of those are updated enough].
Comment 22 Fedora Update System 2013-12-31 22:32:30 EST
python-setuptools-0.6.49-1.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 23 Fedora Update System 2013-12-31 22:32:47 EST
python-setuptools-0.6.49-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.