Bug 994182 - (CVE-2013-1633) CVE-2013-1633 python-setuptools: easy_install insecure installation mechanism
CVE-2013-1633 python-setuptools: easy_install insecure installation mechanism
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20130602,repor...
: Reopened, Security
Depends On: 994772 994773 994774 996705 996706 996707 997556 1008791 1165361
Blocks: 994183
  Show dependency treegraph
 
Reported: 2013-08-06 12:32 EDT by Vincent Danen
Modified: 2016-01-31 21:16 EST (History)
35 users (show)

See Also:
Fixed In Version: python-setuptools 0.7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-06-25 03:04:58 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Vincent Danen 2013-08-06 12:32:11 EDT
Common Vulnerabilities and Exposures assigned an identifier CVE-2013-1633 to
the following vulnerability:

Name: CVE-2013-1633
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1633
Assigned: 20130206
Reference: http://www.reddit.com/r/Python/comments/17rfh7/warning_dont_use_pip_in_an_untrusted_network_a/
Reference: https://pypi.python.org/pypi/setuptools/0.9.8#changes

easy_install in setuptools before 0.7 uses HTTP to retrieve packages
from the PyPI repository, and does not perform integrity checks on
package contents, which allows man-in-the-middle attackers to execute
arbitrary code via a crafted response to the default use of the
product.
Comment 1 Toshio Ernie Kuratomi 2013-08-06 14:03:09 EDT
Will also affect python-virtualenv which currently bundles setuptools.
Comment 2 Toshio Ernie Kuratomi 2013-08-06 14:19:19 EDT
Question -- is this something that we should be pushing the fixed package back into older Fedora releases?  The new setuptools is mostly compatible although we've had to fix a few packages for use with it.  Currently, I know of:

* python-RPi-GPIO which uses a technique for bootstrapping its build system that relied on distribute.  The solution was to get rid of the bootstrap code as it's not needed if we have system packages for python-setuptools.  This could apply to other packages as well.
* python-zc-buildout.  Fixing this required updating to a newer version of buildout.  Should not be a generalized problem for other packages.
Comment 3 Vincent Danen 2013-08-07 21:23:12 EDT
Define "older Fedora releases".  We only support Fedora 18 and 19 right now.  Is it not possible to update this in those two versions?

I'll also file tracking bugs, sorry I forgot to do that.
Comment 4 Vincent Danen 2013-08-07 21:29:00 EDT
Created python-virtualenv tracking bugs for this issue:

Affects: fedora-all [bug 994773]
Affects: epel-all [bug 994774]
Comment 5 Vincent Danen 2013-08-07 21:29:32 EDT
Created python-setuptools tracking bugs for this issue:

Affects: fedora-all [bug 994772]
Comment 6 Bohuslav "Slavek" Kabrda 2013-08-08 01:33:52 EDT
Vincent, does this also affect python-setuptools as shipped in RHEL 5 and RHEL 6? If so, would you open the bugs for them, too?
Comment 7 Toshio Ernie Kuratomi 2013-08-08 02:28:06 EDT
@slavek: It will affect RHEL5 and RHEL6.  The feature (using https and checking the server's certificate) wasn't implemented until setuptools-0.7.  RHEL6 is on setuptools-0.6.x (really, the distribute fork of setuptools).  RHEL5 is older than that.  If you're backporting or looking at the minimum version to upgrade to, also be aware that there is a CVE in the code that implements the feature so you'll also need to backport the changes that went into 0.9.5: https://pypi.python.org/pypi/setuptools/0.9.8#id115

@vincent: Yeah, Fedora rawhide (F20) has a Fedora Change Plan to make the upgrade from 0.6.x to 0.7+: https://fedoraproject.org/wiki/Changes/Python_setuptools_0.7

All previous versions of Fedora are on the 0.6.x release series.  It is possible to upgrade and as I said in Comment2, in Rawhide it so far has only caused a few known incompatibilities.  However, there are widespread changes to the codebase due to the nature of the upstream work and in Rawhide we have the freedom to upgrade other packages that depend heavily on setuptools so it would be nice to avoid upgrading.

One option is if slavek is going to backport the changes needed to the RHEL package, we could consume that same patch in Fedora 17 and 18 instead of upgrading to the latest version.
Comment 8 Vincent Danen 2013-08-08 17:33:44 EDT
There was no plan to do an erratum at this time for RHEL5 and 6, however if you want to help Toshio (or vice versa) but together something that will work on Fedora so we can analyze any potential impact, that would be extremely helpful.

There's probably a dozen packages that I can see in RHEL6 that depend on python-setuptools, and none in RHEL5 so the impact there should be minimal.  For reference, for RHEL6 I see:

PyOpenGL
babel
python-Coherence
python-coverage
python-formencode
python-louie
python-nose
python-paver
python-pygments
python-repoze-who
python-paste-script

Do you think that helping deal with Fedora would be a reasonable way forward?  The work wouldn't be in vain.
Comment 14 Fedora Update System 2013-09-04 14:26:02 EDT
python-virtualenv-1.10.1-1.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 15 Fedora Update System 2013-09-04 21:26:32 EDT
python-virtualenv-1.10.1-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 19 Toshio Ernie Kuratomi 2014-03-10 11:30:03 EDT
Another compatibility note: the easy_install commandline tool changed in 0.7.x to install zipped eggs instead of unzipped eggs by default.  This caused a small change in packaging guidelines (adding the -Z CLI switch to restore the old behaviour) in corner cases.  Not really known how much this would affect end user's use of the easy_install command.
Comment 23 Kurt Seifried 2014-06-30 19:36:47 EDT
Statement:

Red Hat OpenShift Enterprise 1.2 is now in Production 1 Phase of the support and maintenance life cycle. This has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat OpenShift Enterprise Life Cycle: https://access.redhat.com/site/support/policy/updates/openshift.

Note You need to log in before you can comment on or make changes to this bug.