[Yahoo-eng-team] [Bug 1192966] Re: Potentially insecure dependency loading

Mon, 06 Jul 2015 17:26:55 -0700 

** Changed in: swift
       Status: New => Invalid

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Glance.
https://bugs.launchpad.net/bugs/1192966

Title:
  Potentially insecure dependency loading

Status in OpenStack Image Registry and Delivery Service (Glance):
  Invalid
Status in OpenStack Object Storage (Swift):
  Invalid

Bug description:
  Grant Murphy and Dhiru Kholia from Red Hat Product Security Team
  reported the following potential issue. This is actually a setuptools
  issue but which we may be able to workaround, if we end up being
  affected:

  ---
  A security flaw was found in the way Python Setuptools, a collection of 
enhancements to the Python distutils module, that allows more easily to build 
and distribute Python packages, performed integrity checks when loading 
external resources, previously extracted from zipped Python Egg 
archives(formerly if the timestamp and file size of a particular resource 
expanded from the archive matched the original values, the resource was 
successfully loaded). A local attacker, with write permission into the Python's 
EGG cache (directory) could use this flaw to provide a specially-crafted 
resource (in expanded form) that, when loaded in an application requiring that 
resource to (be able to) run, would lead to arbitrary code execution with the 
privileges of the user running the application.

  It seems to be pretty common for Python applications to do something
  like os.evironment['PYTHON_EGG_CACHE'] = /tmp, prior to importing
  dependencies.

  If the dependency contains a .so Python must unpack it into the cache 
directory to be able to load it. However if an attacker pre-emptively places a 
.so in the same location as long as the file has the same timestamp and file 
size it will be loaded.
  ---

  Glance and Swift both set PYTHON_EGG_CACHE to '/tmp' :
  ./glance/glance/cmd/control.py:        os.environ['PYTHON_EGG_CACHE'] = '/tmp'
  ./swift/swift/common/manager.py:    os.environ['PYTHON_EGG_CACHE'] = '/tmp'

  If we are immediately vulnerable to this (i.e. if stuff loaded from
  those commands contains an .so, if I understand correctly), we could
  workaround it by setting it to /tmp/secure-dir-XXXXXX/ until
  setuptools upstream fixes this.

To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1192966/+subscriptions

-- 
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to     : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help   : https://help.launchpad.net/ListHelp

Reply via email to