Red Hat Bugzilla – Bug 961332
python-setuptools: Weak integrity checks when loading resources extracted from zipped eggs
Last modified: 2014-08-04 07:59:14 EDT
A security flaw was found in the way Python Setuptools, a collection of enhancements to the Python distutils module, that allows more easily to build and distribute Python packages, performed integrity checks when loading external resources, previously extracted from zipped Python Egg archives(formerly if the timestamp and file size of a particular resource expanded from the archive matched the original values, the resource was successfully loaded). A local attacker, with write permission into the Python's EGG cache (directory) could use this flaw to provide a specially-crafted resource (in expanded form) that, when loaded in an application requiring that resource to (be able to) run, would lead to arbitrary code execution with the privileges of the user running the application.
This issue was discovered by Grant Murphy and Dhiru Kholia from Red Hat Product Security Team.
Upstream bug report placeholder:
Proposed upstream patch:
This affects many other programs:
Created attachment 770558 [details]
Updated upstream patch
The command to recreate that diff from the setuptools repo is:
hg diff -r 48a15793cd73:e80b60445113
Expect this patch to be incorporated into Distribute 0.6.46 and Setuptools 0.7.5 and 0.8.
Jan, will you be creating bugs for RHEL/Fedora for this in near future? Any e.t.a when this will be un-embargoed?
(In reply to Bohuslav "Slavek" Kabrda from comment #14)
> Jan, will you be creating bugs for RHEL/Fedora for this in near future? Any
> e.t.a when this will be un-embargoed?
Regarding embargo date - Bohuslav, can you possibly see c#11 of this bug (speaking about embargo date of this one being this Wednesday, 10-th). If not, you should check with your manager to add you to the private_comment group.
Regarding child bugs for Fedora - they will be created once this bug is public (during the Wednesday).
Regarding child bugs for RHEL - it hasn't been decided if we want to correct this immediately or defer the fix. We will create bugs once that's clear.
This has now been reported to oss-security: http://seclists.org/oss-sec/2013/q4/438 (although it incorrectly does not note that a CVE has already been assigned).
Created python-setuptools tracking bugs for this issue:
Affects: fedora-all [bug 1039775]
Note for people backporting this fix: The fix in c13 allows setuptools to traceback in some circumstance. setuptools upstream made several more releases before getting all of the tracebacks worked out (see the end of the upstream bug report: https://bitbucket.org/tarek/distribute/issue/375 )
Also note -- setuptools is bundled in a few other packages. Someone will need to figure out what those packages are to make sure they are bundling a recent enough version. :-( [and note that they may be bundling both setuptools and distribute. Have to make sure that both of those are updated enough].
python-setuptools-0.6.49-1.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.
python-setuptools-0.6.49-1.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.