Bug#652653: python-virtualenv: insecure /tmp file handling
Hi Adam (2012.05.03_00:21:24_+0200) That happened now, as #661272 which was recently fixed in sid (thanks Stefano!). In terms of getting stable updated, either a 1.4.9-3squeeze2 package could be prepared incorporating the extra fixes, or we could reject the original package and fix everything in one upload. Thoughts? I have prepared an upload to replace the existing one (reject), so that I could add edit the changelog to close this bug and mention the CVE. debdiff attached. SR -- Stefano Rivera http://tumbleweed.org.za/ H: +27 21 465 6908 C: +27 72 419 8559 UCT: x3127 diff -Nru python-virtualenv-1.4.9/debian/changelog python-virtualenv-1.4.9/debian/changelog --- python-virtualenv-1.4.9/debian/changelog2010-08-22 15:55:50.0 +0200 +++ python-virtualenv-1.4.9/debian/changelog2012-05-04 20:35:07.0 +0200 @@ -1,3 +1,16 @@ +python-virtualenv (1.4.9-3squeeze1) stable; urgency=high + + [ Piotr Ożarowski ] + * Apply upstream's 8be37c509fe5 commit (to use proper temp. dir instead of +/tmp) (CVE-2011-4617, Closes: #652653) + + [ Stefano Rivera ] + * Team upload. + * Backport cleanup_tmpdirs.patch from 1.7.1.2-1. +Cleanup temporary working directories. (Closes: #661272) + + -- Stefano Rivera stefa...@debian.org Fri, 04 May 2012 20:31:24 +0200 + python-virtualenv (1.4.9-3) unstable; urgency=low * Team upload. diff -Nru python-virtualenv-1.4.9/debian/patches/8be37c509fe5.patch python-virtualenv-1.4.9/debian/patches/8be37c509fe5.patch --- python-virtualenv-1.4.9/debian/patches/8be37c509fe5.patch 1970-01-01 02:00:00.0 +0200 +++ python-virtualenv-1.4.9/debian/patches/8be37c509fe5.patch 2012-05-04 19:37:25.0 +0200 @@ -0,0 +1,41 @@ +# HG changeset patch +# User Jannis Leidel jan...@leidel.info +# Date 1280103078 -7200 +# Branch trunk +# Node ID 8be37c509fe5cd474ba947e784b8676d7bd3d535 +# Parent 29ae52edcb91323785116ccea255841843757c5c +Fixed #46 - Use a proper temp dir instead of /tmp. + +Index: python-virtualenv-1.4.9/virtualenv.py +=== +--- python-virtualenv-1.4.9.orig/virtualenv.py python-virtualenv-1.4.9/virtualenv.py +@@ -10,6 +10,7 @@ import optparse + import re + import shutil + import logging ++import tempfile + import distutils.sysconfig + try: + import subprocess +@@ -286,7 +287,6 @@ def _install_req(py_executable, unzip=Fa + if is_jython and os._name == 'nt': + # Jython's .bat sys.executable can't handle a command line + # argument with newlines +-import tempfile + fd, ez_setup = tempfile.mkstemp('.py') + os.write(fd, bootstrap_script) + os.close(fd) +@@ -324,10 +324,10 @@ def _install_req(py_executable, unzip=Fa + return filter_ez_setup(line, project_name) + + if not os.access(os.getcwd(), os.W_OK): +-cwd = '/tmp' ++cwd = tempfile.mkdtemp() + if source is not None and os.path.exists(source): + # the current working dir is hostile, let's copy the +-# tarball to /tmp ++# tarball to a temp dir + target = os.path.join(cwd, os.path.split(source)[-1]) + shutil.copy(source, target) + try: diff -Nru python-virtualenv-1.4.9/debian/patches/cleanup-tmpdirs.patch python-virtualenv-1.4.9/debian/patches/cleanup-tmpdirs.patch --- python-virtualenv-1.4.9/debian/patches/cleanup-tmpdirs.patch 1970-01-01 02:00:00.0 +0200 +++ python-virtualenv-1.4.9/debian/patches/cleanup-tmpdirs.patch 2012-05-04 20:30:14.0 +0200 @@ -0,0 +1,208 @@ +Description: Cleanup temporary directory created with mkdtemp() + This patch was backported from the cleanup_tmpdirs.patch applied in 1.7.1.2-1 + . + The base64 mess is equivalent to: + . + |--- a/virtualenv_support/distribute_setup.py + |+++ b/virtualenv_support/distribute_setup.py + |@@ -14,6 +14,7 @@ the appropriate options to ``use_setuptools()``. + | This file can also be run as a script to install or upgrade setuptools. + | + | import os + |+import shutil + | import sys + | import time + | import fnmatch + |@@ -86,6 +87,7 @@ def _install(tarball): + | log.warn('See the error message above.') + | finally: + | os.chdir(old_wd) + |+shutil.rmtree(tmpdir) + | + | + | def _build_egg(egg, tarball, to_dir): + |@@ -110,6 +112,7 @@ def _build_egg(egg, tarball, to_dir): + | + | finally: + | os.chdir(old_wd) + |+shutil.rmtree(tmpdir) + | # returning the result + | log.warn(egg) + | if not os.path.exists(egg): +Author: Stefano Rivera stefa...@debian.org +Forwarded: https://github.com/pypa/virtualenv/pull/231 +Bug-Debian: http://bugs.debian.org/661272 + +--- a/virtualenv.py b/virtualenv.py +@@ -338,6 +338,8 @@ + finally: + logger.indent -= 2 + logger.end_progress() ++if cwd is not None: ++shutil.rmtree(cwd) + if os.getcwd() != old_chdir: +
Bug#652653: python-virtualenv: insecure /tmp file handling
On Fri, 2012-05-04 at 20:40 +0200, Stefano Rivera wrote: Hi Adam (2012.05.03_00:21:24_+0200) That happened now, as #661272 which was recently fixed in sid (thanks Stefano!). In terms of getting stable updated, either a 1.4.9-3squeeze2 package could be prepared incorporating the extra fixes, or we could reject the original package and fix everything in one upload. Thoughts? I have prepared an upload to replace the existing one (reject), so that I could add edit the changelog to close this bug and mention the CVE. debdiff attached. +Description: Cleanup temporary directory created with mkdtemp() + This patch was backported from the cleanup_tmpdirs.patch applied in 1.7.1.2-1 + . + The base64 mess is equivalent to: Nice. :-) Please go ahead; thanks. Regards, Adam -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#652653: python-virtualenv: insecure /tmp file handling
On Tue, 2011-12-20 at 20:18 +, Adam D. Barratt wrote: On Tue, 2011-12-20 at 09:44 +0100, Piotr Ożarowski wrote: [Adam D. Barratt, 2011-12-19] [...] Looking at the diff, and the equivalent code in the unstable package, there seems to be a missing component - namely, that the directory created via mkdtemp() is never cleaned up. Am I missing something, or does fixing this issue result in orphaned temporary directories? the old code didn't do it as well, Well, trying to remove /tmp would be a silly idea. ;-) I can update the patch to remove it That would be good, although in that case the change should be made in unstable first (and pushed upstream?). That happened now, as #661272 which was recently fixed in sid (thanks Stefano!). In terms of getting stable updated, either a 1.4.9-3squeeze2 package could be prepared incorporating the extra fixes, or we could reject the original package and fix everything in one upload. Thoughts? Regards, Adam -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#652653: python-virtualenv: insecure /tmp file handling
notfixed 652653 1.4.9-1 notfound 652653 1.6-1 fixed 652653 1.6-1 thanks Hi Nico (2011.12.20_22:23:27_+0200) I mark this as fixed in 1.4.9-1. It's true that the patch doesn't clean the directory, but since that is not security related I don't mind. lenny/squeeze still have the vulnerable code. Err, no, this was only fixed in 1.6. For the record, the tmp dir cleaning is #661272. SR -- Stefano Rivera http://tumbleweed.org.za/ H: +27 21 465 6908 C: +27 72 419 8559 UCT: x3127 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#652653: python-virtualenv: insecure /tmp file handling
On Tue, 2011-12-20 at 20:18 +, Adam D. Barratt wrote: On Tue, 2011-12-20 at 09:44 +0100, Piotr Ożarowski wrote: [Adam D. Barratt, 2011-12-19] Looking at the diff, and the equivalent code in the unstable package, there seems to be a missing component - namely, that the directory created via mkdtemp() is never cleaned up. Am I missing something, or does fixing this issue result in orphaned temporary directories? the old code didn't do it as well, Well, trying to remove /tmp would be a silly idea. ;-) I can update the patch to remove it That would be good, although in that case the change should be made in unstable first (and pushed upstream?). Any news on that? Regards, Adam -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#652653: python-virtualenv: insecure /tmp file handling
[Adam D. Barratt, 2011-12-19] I noticed that an upload which appears to fix this issue (although without reference the bug number) has appeared in p-u-NEW. Whilst sorry, I didn't notice a bug was reported that's an admirable turn-around :-) it really should have been discussed with the SRMs first, rather than simply uploading (I believe this is well documented enough by now - if not, please point out where and how we could make it clearer). ups, I assumed someone from SRMs is in the thread Looking at the diff, and the equivalent code in the unstable package, there seems to be a missing component - namely, that the directory created via mkdtemp() is never cleaned up. Am I missing something, or does fixing this issue result in orphaned temporary directories? the old code didn't do it as well, I can update the patch to remove it -- Piotr Ożarowski Debian GNU/Linux Developer www.ozarowski.pl www.griffith.cc www.debian.org GPG Fingerprint: 1D2F A898 58DA AF62 1786 2DF7 AEF6 F1A2 A745 7645 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#652653: python-virtualenv: insecure /tmp file handling
On Tue, 2011-12-20 at 09:44 +0100, Piotr Ożarowski wrote: [Adam D. Barratt, 2011-12-19] I noticed that an upload which appears to fix this issue (although without reference the bug number) has appeared in p-u-NEW. Whilst sorry, I didn't notice a bug was reported No worries. I assumed the upload was a consequence of the bug report, given the timing, but obviously not. that's an admirable turn-around :-) it really should have been discussed with the SRMs first, rather than simply uploading (I believe this is well documented enough by now - if not, please point out where and how we could make it clearer). ups, I assumed someone from SRMs is in the thread If the thread involved the security team saying please fix this via proposed-updates, there's an implied by talking to the release team attached. We're generally not involved in such discussions until after the security team have decided they don't want to issue a DSA for a particular issue and someone raises it with us. Looking at the diff, and the equivalent code in the unstable package, there seems to be a missing component - namely, that the directory created via mkdtemp() is never cleaned up. Am I missing something, or does fixing this issue result in orphaned temporary directories? the old code didn't do it as well, Well, trying to remove /tmp would be a silly idea. ;-) I can update the patch to remove it That would be good, although in that case the change should be made in unstable first (and pushed upstream?). Regards, Adam -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#652653: python-virtualenv: insecure /tmp file handling
Hi, * Adam D. Barratt a...@adam-barratt.org.uk [2011-12-20 21:22]: On Tue, 2011-12-20 at 09:44 +0100, Piotr O??arowski wrote: [...] that's an admirable turn-around :-) it really should have been discussed with the SRMs first, rather than simply uploading (I believe this is well documented enough by now - if not, please point out where and how we could make it clearer). ups, I assumed someone from SRMs is in the thread If the thread involved the security team saying please fix this via proposed-updates, there's an implied by talking to the release team attached. We're generally not involved in such discussions until after the security team have decided they don't want to issue a DSA for a particular issue and someone raises it with us. We will not issue a DSA for this vulnerability. Please go ahead and fix this through spu. Kind regards Nico -- Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0 For security reasons, all text in this mail is double-rot13 encrypted. pgphWwj28AUer.pgp Description: PGP signature
Bug#652653: python-virtualenv: insecure /tmp file handling
On Tue, 2011-12-20 at 21:24 +0100, Nico Golde wrote: Hi, * Adam D. Barratt a...@adam-barratt.org.uk [2011-12-20 21:22]: If the thread involved the security team saying please fix this via proposed-updates, there's an implied by talking to the release team attached. We're generally not involved in such discussions until after the security team have decided they don't want to issue a DSA for a particular issue and someone raises it with us. We will not issue a DSA for this vulnerability. I gathered that now ;-) (although thanks for the explicit answer) - it was more of a general comment for the future. Cheers, Adam -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#652653: python-virtualenv: insecure /tmp file handling
Package: python-virtualenv Version: 1.4.9-3 Severity: grave Tags: patch Hi, it was discovered that python-virtualenv is handling /tmp files in an insecure manner. The following patch fixed this problem: https://bitbucket.org/ianb/virtualenv/changeset/8be37c509fe5 A CVE id for this issue has been requested. Kind regards Nico -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#652653: python-virtualenv: insecure /tmp file handling
Hi, On Mon, 2011-12-19 at 17:19 +0100, Nico Golde wrote: it was discovered that python-virtualenv is handling /tmp files in an insecure manner. The following patch fixed this problem: https://bitbucket.org/ianb/virtualenv/changeset/8be37c509fe5 I noticed that an upload which appears to fix this issue (although without reference the bug number) has appeared in p-u-NEW. Whilst that's an admirable turn-around :-) it really should have been discussed with the SRMs first, rather than simply uploading (I believe this is well documented enough by now - if not, please point out where and how we could make it clearer). Looking at the diff, and the equivalent code in the unstable package, there seems to be a missing component - namely, that the directory created via mkdtemp() is never cleaned up. Am I missing something, or does fixing this issue result in orphaned temporary directories? Regards, Adam -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org