Re: Re: Issue with PYTHON_EGG_CACHE

[Kurt Seifried <kseifried () redhat com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 12/09/2013 04:39 PM, cve-assign () mitre org wrote:
> > Python .egg files can be loaded dynamically as dependencies. In
> > order to process native DSO in .egg distributions the content of
> > the file is unpacked. By default Python unpacks the files to
> > $HOME/.python-eggs however this 'egg cache' directory can be
> > overwritten by setting the environment variable
> > PYTHON_EGG_CACHE.
>
> > It is common practice to set this to a world writeable directory
> > such as /tmp in the instances where the user the process is
> > executing as does not have a home directory (e.g. httpd).
> > Unfortunately the extraction is done in such a way that the
> > extraction path for the DSO is deterministic. As such it exposes
> > a TOCTOU attack vector where a user my pre-emptively injecting a
> > specially crafted DSO to achieve arbitrary code execution and
> > potentially privilege escalation.
>
> > The current version of setuptools attempts to mitigate this
> > threat by a number of additional integrity checks in conjunction
> > with issuing a warning if the extract directory is group or world
> > writeable.
>
> > This fix was introduced in version 0.6.46 of Python setuptools 
> > (https://pypi.python.org/pypi/setuptools#id48).
>
> This report didn't have enough information to assign any CVE IDs.
> When you say "It is common practice to set this to a world
> writeable directory such as /tmp in the instances where the user
> the process is executing as does not have a home directory (e.g.
> httpd)," can you describe where this common practice is observed?
> It seems likely that a separate CVE ID could be assigned for each
> application that follows this unsafe practice, as long as the
> application is an open-source product intended for deployment at
> multiple arbitrary sites.
>
> Looking at this from the perspective of setuptools "Issue a warning
> if the PYTHON_EGG_CACHE or otherwise customized egg cache location 
> specifies a directory that's group- or world-writable," this seems
> to be a security improvement, not a vulnerability fix. Accordingly,
> a CVE ID would probably not be assigned with setuptools as the 
> affected/responsible product.

Lots of code does this:

OpenStack swift:
"""Try to increase resource limits of the OS. Move PYTHON_EGG_CACHE to
/tmp
os.environ['PYTHON_EGG_CACHE'] = '/tmp'

Google search:

PYTHON_EGG_CACHE "/tmp" filetype:py






- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)

iQIcBAEBAgAGBQJSrAOaAAoJEBYNRVNeJnmTpEkQALviDwMX9eIRKBDOQGwreGVP
vqo1br3pUVep715nhB0gbzNG9K2DVGK+fpPLxoF2JSGxS0cbhsTAgDa9/JA28grU
FyQ9k6QD/YfNT6dP7vUU1eEc4inpHeZt+6H3vN4wQDilji2xAT7dEKobZIiv9CkJ
KyFoNrTW3zmkBJYwvo4g97g2ph07VeLR+pkliKY8AD0LEYUo1FWEfc43VBjmrkY3
qsK/5l6dQRkkxefqf76knyKnArVax3PamJJIMrChmHonVMKFU3a9MyRA8GZ54DoU
a1WQakmxB4SvJHDujleAAedPJspBZZcKY20HOC2V14uxCCuG3yM1XxERY3VfXHr0
TzwE1QeLGjsu7VbZZb/lFzGaIHRIh9KKxU9acgQDibCJQ+xBwISXFy9dX6QLoFwt
x7aO7uKX/1VBHHU2oiQFojXhqfO1uxVjf7HmYhznWQ90TtQ1F2z/sgGO7nnh55Zu
3qu4T68YvZfih8FNdMUB3zLnJBJ4gVSfE0TOMGON2Fr4F07EeaKKZuSGNopiEqRp
6gpODJOTJE9pzOCCUSAyWHdEKv4DirP3VyxVGu0axJT5iXYqvCqE52BGU7zMCVHn
2m068us0SMelQPfRHqSV+j0A7hRYYmHUCg8gDVYHwZVOL1yd+O9l/qCgWCrzT875
9SR/1T+PFgDamg6oV1ic
=AhnA
-----END PGP SIGNATURE-----