Untrusted search path vulnerabilities

2010-11-17 Thread Jakub Wilk 
A number of packages in the archive sets the PYTHONPATH environment 
variable in an insecure way. They do something like:


  PYTHONPATH=/spam/eggs:$PYTHONPATH

This is wrong, because if PYTHONPATH were originally unset or empty, 
current working directory would be added to sys.path.


These packages are affected:

a) packages with vulnerable scripts in /usr/bin:

* calendarserver (1.2.dfsg-8, 2.4.dfsg-2)
* distcc-pump (3.1-3.1)
* gnome-schedule (2.0.2-1.1, 2.1.1-3)
* gnumed-client (0.7.9-1, 0.8.4-1)
* gquilt (0.20-2, 0.22-1)
* guake (0.4.2-1, 0.4.2-2)
* ironpython (2.6~beta2-2)
* mmass (3.8.0-1)
* opendnssec-signer (1.1.0-2, 1.1.3-1)
* pybliographer (1.2.12-3.2, 1.2.14-2)
* pymca (4.4.0-1)
* salome (5.1.3-9)
* snappea (3.0d3-20)

b) packages with scripts/modules outside PATH (it's not clear if they 
are exploitable or not):


* ibus-anthy (1.2.1-1, 1.2.3-1)
* ibus-skk (0.0.10-1, 1.3.3-1)
* ibus-xkbc (1.3.3.20100804-1)
* python-axiom (0.6.0-2)
* python-epsilon (0.5.9-1)

c) packages with insecure advices in their documentation or vulnerable 
example scripts:


* python-matplotlib-doc (0.99.3-1)
* python-omniorb-doc (3.3-1)
* python-sqlobject (0.10.2-3, 0.12.4-2)
* python-visual (1:5.12-1.1)
* python-tables-doc (2.0.3-1, 2.1.2-3.1)
* python-uno (1:2.4.1+dfsg-1+lenny8, 1:3.2.1-7, 1:3.3.0~beta2-2)
* python2.7-examples (2.7-9)
* python3.1-examples (3.1.2+20100926-1, 3.1.2+20101012-1)
* python3.2-examples (3.2~a3-1)
* twisted-doc (8.1.0-4, 10.1.0-3)

Full log and dd-list are attached.

Any volunteers to file bugs? :)

(The security team was contacted beforehand and they agreed to disclose 
these bugs. This message was bcc-ed to the testing security team.)


--
Jakub Wilk
* calendarserver (1.2.dfsg-8, 2.4.dfsg-2)
/usr/bin/caldavd-17-#
/usr/bin/caldavd-18-# DRI: David Reid, dr...@apple.com
/usr/bin/caldavd-19-##
/usr/bin/caldavd-20-
/usr/bin/caldavd-21-PATH="/usr/bin:$PATH"
/usr/bin/caldavd:22:PYTHONPATH="/usr/lib/python2.5/site-packages/:$PYTHONPATH"
/usr/bin/caldavd-23-
/usr/bin/caldavd-24-daemonize="";
/usr/bin/caldavd-25-username="";
/usr/bin/caldavd-26-groupname="";
/usr/bin/caldavd-27-configfile="";

* distcc-pump (3.1-3.1)
/usr/bin/distcc-pump-283-#
/usr/bin/distcc-pump-284-# which will pass '*' to the include server (that 
is, the string consisting
/usr/bin/distcc-pump-285-# of one asterisk) without filename expansion.
/usr/bin/distcc-pump-286-eval \
/usr/bin/distcc-pump-287-  "PYTHONOPTIMIZE='$PYTHONOPTIMIZE' " \
/usr/bin/distcc-pump:288:  "PYTHONPATH='$pythonpath::$PYTHONPATH' " \
/usr/bin/distcc-pump-289-  "'$PYTHON'"   \
/usr/bin/distcc-pump-290- "'$include_server'"\
/usr/bin/distcc-pump-291- --port "'$socket'" \
/usr/bin/distcc-pump-292- --pid_file "'$tmp_pid_file'"   \
/usr/bin/distcc-pump-293- -d1\

* gnome-schedule (2.0.2-1.1, 2.1.1-3)
/usr/bin/gnome-schedule-1-#! /bin/sh
/usr/bin/gnome-schedule:2:PYTHONPATH=::/usr/lib/python2.5/site-packages/gtk-2.0/:$PYTHONPATH
 /usr/bin/python /usr/share/gnome-schedule/gnome-schedule.py $1
/usr/share/gnome-schedule/config.py-19-
/usr/share/gnome-schedule/config.py-20-version = "2.1.1"
/usr/share/gnome-schedule/config.py-21-image_dir = 
"/usr/share/pixmaps/gnome-schedule"
/usr/share/gnome-schedule/config.py-22-gs_dir = "/usr/share/gnome-schedule"
/usr/share/gnome-schedule/config.py-23-glade_dir = gs_dir
/usr/share/gnome-schedule/config.py:24:xwrapper_exec = 
"PYTHONPATH=::/usr/lib/python2.5/site-packages/gtk-2.0/:$PYTHONPATH 
/usr/bin/python /usr/share/gnome-schedule/xwrapper.py"
/usr/share/gnome-schedule/config.py-25-locale_dir = "/usr/share/locale"
/usr/share/gnome-schedule/config.py-26-crontabbin = "/usr/bin/crontab"
/usr/share/gnome-schedule/config.py-27-atbin = "/usr/bin/at"
/usr/share/gnome-schedule/config.py-28-atqbin = "/usr/bin/atq"
/usr/share/gnome-schedule/config.py-29-atrmbin = "/usr/bin/atrm"

* gnumed-client (0.7.9-1, 0.8.4-1)
/usr/bin/gnumed-36-
/usr/bin/gnumed-37-
/usr/bin/gnumed-38-# packages which install the GNUmed python modules into a 
path not
/usr/bin/gnumed-39-# already accessible for imports via sys.path (say, 
/usr/share/gnumed/)
/usr/bin/gnumed-40-# may need to adjust PYTHONPATH appropriately here
/usr/bin/gnumed:41:export PYTHONPATH="${PYTHONPATH}:/usr/share/gnumed/"
/usr/bin/gnumed-42-export PATH="${PATH}:/usr/share/gnumed/bin"
/usr/bin/gnumed-43-
/usr/bin/gnumed-44-# now run the client
/usr/bin/gnumed-45-python -m Gnumed.gnumed ${OPTIONS}
/usr/bin/gnumed-46-

* gquilt (0.20-2, 0.22-1)
/usr/bin/gquilt-6-export GQUILT_LIB_DIR
/usr/bin/gquilt-7-
/usr/bin/gquilt-8-GQUILT_ICON=$PREFIX/share/pixmaps/gquilt.xpm
/usr/bin/gquilt-9-export GQUILT_ICON
/usr/bin/gquilt-10-
/usr/bin/gquilt:11:PYTHONPATH=$PYTHONPATH:$GQUILT_LIB_DIR
/usr/bin/gquilt-12-export PYTHONPATH
/usr/bin/gquilt-13-
/usr/bin/gquilt-14-exec python $GQUILT_LIB_DIR/gquilt.py

* guake (0.4.2-1, 0.4.2-2)
/usr/bin/guake-prefs-16-# License along wit

Re: Untrusted search path vulnerabilities

2010-11-17 Thread Éric Araujo 
Hello,

> * python2.7-examples (2.7-9)
> * python3.1-examples (3.1.2+20100926-1, 3.1.2+20101012-1)
> * python3.2-examples (3.2~a3-1)

For the person reporting those: If they need to be forwarded upstream,
feel free to cc: me in the bug report and I’ll do it.

Regards


-- 
To UNSUBSCRIBE, email to debian-python-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/4ce45397.4060...@netwok.org

Re: Untrusted search path vulnerabilities

2010-11-17 Thread Sandro Tosi 
Hi Jakub & all others,
nice to see you back at full force :)

On Wed, Nov 17, 2010 at 22:58, Jakub Wilk  wrote:
> Any volunteers to file bugs? :)

I'll do that tomorrow, if no-one beats me.

Severity? grave for the vulnerable packages, important for the others?
in this case, was release team already contacted about that? I don't
think this mini-RC-MBF would make them happy

Also, just to give some advice to the maints: the correct approach
here is to check if PYTHONPATH is set before (blindly) append it to
PYTHONPATH - or is there something else to do?

Cheers,
-- 
Sandro Tosi (aka morph, morpheus, matrixhasu)
My website: http://matrixhasu.altervista.org/
Me at Debian: http://wiki.debian.org/SandroTosi


-- 
To UNSUBSCRIBE, email to debian-python-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/aanlktikcmpbmf=l=c_2oltqvtbysn9x+6oba9zc=h...@mail.gmail.com

Re: Untrusted search path vulnerabilities

2010-11-17 Thread Jakub Wilk 

* Sandro Tosi , 2010-11-17, 23:37:

Any volunteers to file bugs? :)


I'll do that tomorrow, if no-one beats me.


Thanks.


Severity? grave for the vulnerable packages, important for the others?


I think so.


in this case, was release team already contacted about that? I don't
think this mini-RC-MBF would make them happy


I didn't contact RT. It certainly won't make them happy, but also 
there's not much they can do about that.



Also, just to give some advice to the maints: the correct approach
here is to check if PYTHONPATH is set before (blindly) append it to
PYTHONPATH - or is there something else to do?


You can use something like:

PYTHONPATH=/spam/eggs${PYTHONPATH:+:$PYTHONPATH}

(If you don't known this construct, grep for "Use Alternative Value" in 
the bash/dash manpage.)


Also, in cases like

PYTHONPATH=/usr/lib/python2.5/site-packages/:$PYTHONPATH

or

PYTHONPATH=$PYTHONPATH:$SPAMDIR
exec python $SPAMDIR/spam.py

you shouldn't need to touch PYTHONPATH at all.

--
Jakub Wilk


--
To UNSUBSCRIBE, email to debian-python-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20101118001240.ga5...@jwilk.net