Bug#605157: calendarserver: Use of PYTHONPATH env var in an insecure way

Fri, 03 Dec 2010 14:39:15 -0800 

Jakub Wilk <[email protected]> writes:

> Hi Dmitrijs,
>
>>+@@ -145,7 +145,7 @@
>>+             line = line.rstrip("\n")
>>+             if fileType == "sh":
>>+                 if line == "#PYTHONPATH":
>>+-                    script.append('PYTHONPATH="%s:$PYTHONPATH"' % 
>>(install_lib,))
>>++                    script.append('PYTHONPATH="%s:+:$PYTHONPATH"' % 
>>(install_lib,))
>>+                 elif line == "#PATH":
>>+                     script.append('PATH="%s:$PATH"' % (os.path.join(base, 
>>"bin"),))
>>+                 else:
>
> This patch looks very suspicious. Have you actually tested it?
>
> Besides, as far as I can see, /usr/bin/caldavd doesn't need PYTHONPATH 
> mangling
> at all.

Hello Jakub,

Yes the patch is strange, because the build-system is strange. The
source scripts actually have line "#PYTHONPATH" which is rewritten
during buildtime. From build log:

rewriting 
/home/tdlk/src/build-dir/calendarserver-2.4.dfsg/debian/calendarserver/usr/bin/caldavd
rewriting 
/home/tdlk/src/build-dir/calendarserver-2.4.dfsg/debian/calendarserver/usr/bin/calendarserver_export
rewriting 
/home/tdlk/src/build-dir/calendarserver-2.4.dfsg/debian/calendarserver/usr/bin/calendarserver_manage_principals


With my patch applied the resulting /usr/bin/caldavd has:

PYTHONPATH="/usr/lib/twisted-calendarserver/lib/python2.6/site-packages/:+:$PYTHONPATH"

Then in goes to perform many checks and finally (after finding
everything it needs) it sets: 

export PYTHONPATH=`${python} -c 'import sys; print 
"/usr/lib/twisted-calendarserver/lib/python%s/site-packages" % 
(sys.version[:3])'`

echo exec "${python}" "${twistdpath}" "${twistd_reactor}" ${daemonize} 
${username} ${groupname} "${plugin_name}" ${configfile} ${service_type} 
${profile} "${child_reactor}";

exec "${python}" "${twistdpath}" ${twistd_reactor} ${daemonize} ${username} 
${groupname} "${plugin_name}" ${configfile} ${service_type} ${profile} 
${child_reactor};


Between the first PYTHONPATH and the second it executes this:

echo "$("${python}" -c "from distutils.sysconfig import get_python_version; 
print get_python_version()")";

So if I drop evil "distutils.sysconfig" in the current dir I can
potentially do something evil? Or I'm getting this wrong?

Thanks for a review.

Attachment: pgpNv4WkMPRgn.pgp
Description: PGP signature

Reply via email to