Re: Issue with PYTHON_EGG_CACHE

[cve-assign () mitre org]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> Python .egg files can be loaded dynamically as dependencies. In order
> to process native DSO in .egg distributions the content of the file is
> unpacked. By default Python unpacks the files to $HOME/.python-eggs
> however this 'egg cache' directory can be overwritten by setting the
> environment variable PYTHON_EGG_CACHE.
>
> It is common practice to set this to a world writeable directory such
> as /tmp in the instances where the user the process is executing as
> does not have a home directory (e.g. httpd). Unfortunately the
> extraction is done in such a way that the extraction path for the DSO
> is deterministic. As such it exposes a TOCTOU attack vector where a
> user my pre-emptively injecting a specially crafted DSO to achieve
> arbitrary code execution and potentially privilege escalation.
>
> The current version of setuptools attempts to mitigate this threat by
> a number of additional integrity checks in conjunction with issuing a
> warning if the extract directory is group or world writeable.
>
> This fix was introduced in version 0.6.46 of Python setuptools
> (https://pypi.python.org/pypi/setuptools#id48).

This report didn't have enough information to assign any CVE IDs. When
you say "It is common practice to set this to a world writeable
directory such as /tmp in the instances where the user the process is
executing as does not have a home directory (e.g. httpd)," can you
describe where this common practice is observed? It seems likely that
a separate CVE ID could be assigned for each application that follows
this unsafe practice, as long as the application is an open-source
product intended for deployment at multiple arbitrary sites.

Looking at this from the perspective of setuptools "Issue a warning if
the PYTHON_EGG_CACHE or otherwise customized egg cache location
specifies a directory that's group- or world-writable," this seems to
be a security improvement, not a vulnerability fix. Accordingly, a CVE
ID would probably not be assigned with setuptools as the
affected/responsible product.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJSplCSAAoJEKllVAevmvmsQCMIAKY/Z3HKUGt64j/sCCK8QlC8
esrR9EGrGDpL+Rqog+RdARYeFnTjWWf7umKppFu5Pw6rsX+r/Gjg1izh3AZDP+rs
y7I+efa7JyOeVSeUd3CecgdEztNiF1Vqg6jrMvvNyix7zpUyAkvz/frJQDgmHv+1
kpdiwBBHDkQhVPR0wLGbna6Yrj4JZuG30/I0Zxp/8cMsGnkfv2NAuqZJQ0C4U2Jv
uMA2cHfY8A6Fz+Rm1IhJxxNjkVJ/qgFZVqAlo3E4HfnJTCxTGajHHyRF1oxJIjqu
dszkIVYADr542Bd28JT1ARjvEdJzWPLN5BjHC+1T7+HIxUkhkGi6IJV8KL9mdqs=
=qxcY
-----END PGP SIGNATURE-----