oss-sec mailing list archives

Re: CVE request -- Python < 2.6 PySys_SetArgv issues (epiphany, csound, dia, eog, gedit, xchat, vim, nautilus-python, Gnumeric)


From: Jan Lieskovsky <jlieskov () redhat com>
Date: Fri, 30 Jan 2009 13:56:25 +0100

Hello again Steve,

  got couple of points to discuss yet:

  1, thanks! for all the CVEs (probably more reports still
to come, since currently still investigating all
the F10 srpms code in Everything repo to ensure we didn't
miss something). Recommending other distros to behave in
similar way.

  2, 

Do you have any upstream bug ID's for the Python bug itself, or some
Python mailing list?  I'd like to capture that issue there, if possible.

I'm using CVE-2008-5983 to help track the Python bug itself.


Not aware of any upstream Python bug report
yet (there are still some obstacles with the patch :(,
so it seems the upstream root Python issue fix can not
be expected any time soon (that's why we reported this issue
in most affected applications/packages at least).

Current RH status can be seen here:

https://bugzilla.redhat.com/show_bug.cgi?id=482814#c1 and here:
https://bugzilla.redhat.com/show_bug.cgi?id=482814#c4 and here:
https://bugzilla.redhat.com/show_bug.cgi?id=482814#c5

For testing purposes it is possible to use Ray Strode's test case
from:

https://bugzilla.redhat.com/show_bug.cgi?id=481556#c8

The Python upstream bug report will follow as soon as we will
find a patch, which would resolve also the 'sub-modules,
which are in more than a one file' ('import utils' example) case.

3, The original CVE-2008-5983 description will need modification.
Robert is right, this issue is still present also in Python
2.6 (even absolute imports didn't resolve it). For more
details please proceed to:

http://www.openwall.com/lists/oss-security/2009/01/28/5 and to:
https://bugzilla.redhat.com/show_bug.cgi?id=482814#c1

So please update the text of CVE-2008-5983 to state:

"... in Python prepends an empty string to sys.path ...".

Thanks && regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team


On Tue, 2009-01-27 at 21:38 -0500, Steven M. Christey wrote:
On Mon, 26 Jan 2009, Jan Lieskovsky wrote:

Though this is a Python flaw (insertion of cwd at the
beginning of the Python modules search path), according to our Python
maintainers it can't be fixed on Python's side due the need
of ensuring the work of other numerous packages, when loading
Python modules.

This was a bit of a pain CVE-wise, though  I suspect it was less painful
than what the maintainers are going through.

It seems fair to label the Python bug separately as an instance of
CWE-684: Failure to Provide Specified Functionality (or some other "API
Abuse CWE-227 problem).  Then we could assign separate CVE's for the
others ("failure to work around a known issue in the underlying
interpreter").  I'm always worried about these kinds of things producing
mass amounts of CVE's, and it doesn't seem fair to those applications -
but given that Python upstream can't/won't fix the issue, this seems the
best approach, since the apps will have to be patched themselves.

Do you have any upstream bug ID's for the Python bug itself, or some
Python mailing list?  I'd like to capture that issue there, if possible.

I'm using CVE-2008-5983 to help track the Python bug itself.

For the individual apps:

CVE-2008-5984 - Dia
CVE-2008-5985 - Epiphany
CVE-2008-5986 - Csound
CVE-2008-5987 - eog

They all had 2008 CVE's because of James Vega's work in November, which
was "technically public" at that time.

The following ones are 2009 because the first disclosure seems to be from
Jan in the original oss-security post.

Does anybody have upstream version information for these?  They aren't in
the Red Hat bug reports, so the descriptions have no versions.

CVE-2009-0314 - gedit
CVE-2009-0315 - xchat
CVE-2009-0316 - vim
CVE-2009-0317 - Nautilus
CVE-2009-0318 - Gnumeric


- Steve



Current thread: