[Python-modules-team] Bug#646517: marked as done (Insecure use of pickle when deserializing POST/PUT input)

Thu, 03 Nov 2011 16:27:23 -0700 

Your message dated Thu, 03 Nov 2011 23:24:51 +0000
with message-id <[email protected]>
and subject line Bug#646517: fixed in python-django-piston 0.2.2-2
has caused the Debian Bug report #646517,
regarding Insecure use of pickle when deserializing POST/PUT input
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
646517: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=646517
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: python-django-piston
Version: 0.2.2-1
Severity: important

Hello,

/usr/share/pyshared/piston/emitters.py:398 contains:

  Mimer.register(pickle.loads, ('application/python-pickle',))

If I cross-reference it with
https://bitbucket.org/jespern/django-piston/wiki/Documentation#!receiving-data
where it says: "It should be noted that sending anything that
deserializes to this handler will also work", then I understand that I
can POST or PUT pickled data to piston and it will happily call
pickle.loads on it.

Which is kind of wrong: http://nadiana.com/python-pickle-insecure
(that's the first link I got out of Google, but I reckon you already
know the gist).

As a mitigation, I'll volunteer the best I could get as a safe
unpickler:

    import cPickle as pickle
    
    def unpickle(inputfd):
       unp = pickle.Unpickler(inputfd)
       unp.find_global = None
       return unp.load()

Noone's told me yet how to feed malicious pickles to it, but noone has
guaranteed me yet that this is actually safe. One would need to audit
cPickle's code to know, and I haven't done it.

Of course this would reduce functionality, as it will not unpickle
complex objects.

I reckon the best default behaviour would be to disable unpickling, with
options to either have the full unpickling. Safe unpickling would be a
really really nice thing to have in Python in general, but seeing as
nobody guarantees that such a thing exists, I'm not sure it is a good
idea to offer it as an option.


Best regards,

Enrico

-- System Information:
Debian Release: wheezy/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 3.0.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages python-django-piston depends on:
ii  python-decorator  3.3.2-1
ii  python-django     1.3.1-2
ii  python-oauth      1.0.1-3
ii  python-support    1.0.14 

python-django-piston recommends no packages.

Versions of packages python-django-piston suggests:
ii  python-yaml  3.10-1

-- no debconf information

--- End Message ---
--- Begin Message --- 
Source: python-django-piston
Source-Version: 0.2.2-2

We believe that the bug you reported is fixed in the latest version of
python-django-piston, which is due to be installed in the Debian FTP archive:

python-django-piston_0.2.2-2.debian.tar.gz
  to main/p/python-django-piston/python-django-piston_0.2.2-2.debian.tar.gz
python-django-piston_0.2.2-2.dsc
  to main/p/python-django-piston/python-django-piston_0.2.2-2.dsc
python-django-piston_0.2.2-2_all.deb
  to main/p/python-django-piston/python-django-piston_0.2.2-2_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Michael Ziegler <[email protected]> (supplier of updated 
python-django-piston package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 01 Nov 2011 19:37:58 +0100
Source: python-django-piston
Binary: python-django-piston
Architecture: source all
Version: 0.2.2-2
Distribution: unstable
Urgency: low
Maintainer: Debian Python Modules Team 
<[email protected]>
Changed-By: Michael Ziegler <[email protected]>
Description: 
 python-django-piston - Django mini-framework creating RESTful APIs
Closes: 646517
Changes: 
 python-django-piston (0.2.2-2) unstable; urgency=low
 .
   [ Michael Ziegler ]
   * Bump Standards Version to 3.9.2.
   * Remove reference to /usr/share/common-licenses/BSD and strip trailing
     whitespace in copyright.
   * Fix a copy-paste error in copyright.
   * Fix a security issue in the YAML emitter.
   * Disable the pickle loader due to security concerns (Closes: #646517).
 .
   [ Luca Falavigna ]
   * Enable DM-Upload-Allowed field.
Checksums-Sha1: 
 e4a8fa709a5373abbe43c95119a25989a8f4ddad 2231 python-django-piston_0.2.2-2.dsc
 e2bb03259acc14ce60a9afcb7984de9ce3bc24e2 4605 
python-django-piston_0.2.2-2.debian.tar.gz
 a5423c8f457a24ad515eb19aff953b65d79c4c8a 22250 
python-django-piston_0.2.2-2_all.deb
Checksums-Sha256: 
 352b2c104145427b12008f7b7f68170a846b8aa7d2437f2516f741078f4e4b68 2231 
python-django-piston_0.2.2-2.dsc
 2d47a4ce98c1ef230dfbc7e4cfaa5c94f19a1311afd713bed33fa2c68025b1ee 4605 
python-django-piston_0.2.2-2.debian.tar.gz
 dc546abf4abf3e5c54d241e040b16f25d4e1cc843146ac2bb6768e93ac5f985f 22250 
python-django-piston_0.2.2-2_all.deb
Files: 
 dc72c53e43f145490062b58998ab012a 2231 python optional 
python-django-piston_0.2.2-2.dsc
 eccf674750a5d4aaece15a8a63baa38a 4605 python optional 
python-django-piston_0.2.2-2.debian.tar.gz
 ecdc3bbf74e8c264e43014ee907bf238 22250 python optional 
python-django-piston_0.2.2-2_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAEBCAAGBQJOsxkXAAoJEEkIatPr4vMf6hAQAJWtrqC+lWHPS2eYX5T82E0f
+JgYKhN/h9S7kbqhyn9M+7CtRvgjv6mgsF1AKU1OeaLTdmppwQJW7BrNENuwbF7L
YUrKZNvDEc1amQNiayAyJfNfKcpmZ4pb8qerMA+yJzUQ5AyrZ7pDIB1xT3hcWDu8
XdKGHMPkXGKhgPar+KP691ItlVI9llffvxTaRssTpShMFWY6yZJRAoG1qP8IMr9F
50CRzRmSNZuTYxsZ/lSwmRfme8j83vMyknIDsCcMIPI/e37IjW9vEGz0vKdX6QFl
Vna6i30wqbkqt9H9B9mf8cW+S0dwxo78fBVAnDcq0l2+r6kb3SDrnxX+fa/Pqytw
emr0zZlS55df3NEh9mwKOcjYXu8FbQVdM1Le/phYxptlWiSFAgrIn3t5X3YbnzB0
xUOxDbFU5rK4hsDMiV0sPw08JQZYfCMX6R7qlD2hvqyXEQIQ2vBgPa9l7yEKYrPt
2Q+Rg0NK5p4lQeQaPlGBXgbdH7UvK3Sa0kLaNXz5Ea8yO5GWeBBYs0CrV8EN/gAX
wA607IRx6MH84StiJOt8NWbfm45L7+RDXZ4jEuB2emQmaW2AC32199Rmuh1/1535
wKGnRAqx+9QK7TD4njnkZv26y1fPhieWpuj4jlTyBjxLRURFDnGbSYtuBkqmI3sN
pgwD0QSHs2vqYOI8sGb5
=nYdG
-----END PGP SIGNATURE-----

--- End Message ---
_______________________________________________
Python-modules-team mailing list
[email protected]
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/python-modules-team

Reply via email to