Bug#484311: reportbug adds os.curdir to sys.path
> please also fix: > > diff -Nru reportbug-3.40/checks/compare_pseudo-pkgs_lists.py > reportbug-3.40+nmu1/checks/compare_pseudo-pkgs_lists.py > --- reportbug-3.40/checks/compare_pseudo-pkgs_lists.py 2008-05-22 > 03:21:42.0 +0200 > +++ reportbug-3.40+nmu1/checks/compare_pseudo-pkgs_lists.py 2008-06-04 > 17:53:30.0 +0200 > @@ -8,7 +8,6 @@ > # agaists the official list on ftp-master > > import sys, os > -sys.path = ['.'] + sys.path > > import debianbts As discussed with Nico on [EMAIL PROTECTED], I don't change that file: we need to use the 'debianbts.py' file stored in the current directory, since we need to diff the local version (possibly changed) of pseudo-packages list with the one on ftp-master. I've just uploaded reportbug version 3.41, that fix the CVE and this bug. I'd like to thank everyone for the prompt reply: Giridhar for the first commit, Nico for the fast reply from sec team, Thomas for reporting this bug, and the director because believed in me, my mother... :D Cheers, Sandro -- Sandro Tosi (aka morph, Morpheus, matrixhasu) My website: http://matrixhasu.altervista.org/ Me at Debian: http://wiki.debian.org/SandroTosi -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#484311: reportbug adds os.curdir to sys.path
Hi, please also fix: diff -Nru reportbug-3.40/checks/compare_pseudo-pkgs_lists.py reportbug-3.40+nmu1/checks/compare_pseudo-pkgs_lists.py --- reportbug-3.40/checks/compare_pseudo-pkgs_lists.py 2008-05-22 03:21:42.0 +0200 +++ reportbug-3.40+nmu1/checks/compare_pseudo-pkgs_lists.py 2008-06-04 17:53:30.0 +0200 @@ -8,7 +8,6 @@ # agaists the official list on ftp-master import sys, os -sys.path = ['.'] + sys.path import debianbts Cheers Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted. pgpFfZk21RmRk.pgp Description: PGP signature
Bug#484311: reportbug adds os.curdir to sys.path
Hi Thijs, * Thijs Kinkhorst <[EMAIL PROTECTED]> [2008-06-04 14:14]: > On Wed, June 4, 2008 13:14, Nico Golde wrote: > > I agree that it is of a low impact but I disagree that this > > is not a security issue, people are using reportbug in /tmp and I don't see > > a reason to assume people are not doing that. > > The chance of succesful exploitation still seems very small, and indeed > even then the problem is limited to just a regular user account. It's good > that Sandro is fixing the bug directly so I'm not going to argue over bug > severity, but I'm marking it as no-dsa for stable. Ok I thought you were also arguing about the severity in the tracker. No-dsa seems fine to me. Cheers Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted. pgpsAY8tlKzZ8.pgp Description: PGP signature
Bug#484311: reportbug adds os.curdir to sys.path
Per my vac message if you guys can put together a quick release in the next day or so that would be great. It will otherwise be Tuesday at the earliest. Chris. On 6/4/08, Thijs Kinkhorst <[EMAIL PROTECTED]> wrote: > On Wed, June 4, 2008 14:27, Thomas Arendsen Hein wrote: >> I encountered this bug in the real world: I extracted a tarball >> which contained a file named token.py, then I wanted to report a problem >> and therefore started reportbug. >> >> This tarball did not contain harmful code, but as I did not verify >> it before (because I did not intend to execute parts of it), it could have >> been harmful. >> >> And of course there is /tmp as mentioned by Nico Golde. > > That it can happen by accident does not mean that it is easy to explicitly > exploit. I still believe that those chances are small enough to not > consider an update to stable (needs local malicious user, needs victim > user to run reportbug in exactly the right dir, and only then provides > access to "just" the user account). > > If the maintainer wants to provide an update through a stable point update > that is of course fine. > > > Thijs > > > > -- Sent from Gmail for mobile | mobile.google.com Christopher N. Lawrence, Ph.D. <[EMAIL PROTECTED]> Visiting Assistant Professor of Political Science Tulane University 309 Norman Mayer Building New Orleans, Louisiana 70118-5698 Website: http://www.cnlawrence.com/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#484311: reportbug adds os.curdir to sys.path
On Wed, June 4, 2008 14:27, Thomas Arendsen Hein wrote: > I encountered this bug in the real world: I extracted a tarball > which contained a file named token.py, then I wanted to report a problem > and therefore started reportbug. > > This tarball did not contain harmful code, but as I did not verify > it before (because I did not intend to execute parts of it), it could have > been harmful. > > And of course there is /tmp as mentioned by Nico Golde. That it can happen by accident does not mean that it is easy to explicitly exploit. I still believe that those chances are small enough to not consider an update to stable (needs local malicious user, needs victim user to run reportbug in exactly the right dir, and only then provides access to "just" the user account). If the maintainer wants to provide an update through a stable point update that is of course fine. Thijs -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#484311: reportbug adds os.curdir to sys.path
* Thijs Kinkhorst <[EMAIL PROTECTED]> [20080604 14:13]: > On Wed, June 4, 2008 13:14, Nico Golde wrote: > > I agree that it is of a low impact but I disagree that this > > is not a security issue, people are using reportbug in /tmp and I don't see > > a reason to assume people are not doing that. > > The chance of succesful exploitation still seems very small, and indeed > even then the problem is limited to just a regular user account. It's good > that Sandro is fixing the bug directly so I'm not going to argue over bug > severity, but I'm marking it as no-dsa for stable. I encountered this bug in the real world: I extracted a tarball which contained a file named token.py, then I wanted to report a problem and therefore started reportbug. This tarball did not contain harmful code, but as I did not verify it before (because I did not intend to execute parts of it), it could have been harmful. And of course there is /tmp as mentioned by Nico Golde. Regards, Thomas -- [EMAIL PROTECTED] - http://intevation.de/~thomas/ - OpenPGP key: 0x5816791A Intevation GmbH, Osnabrueck - Register: Amtsgericht Osnabrueck, HR B 18998 Geschaeftsfuehrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#484311: reportbug adds os.curdir to sys.path
On Wed, June 4, 2008 13:14, Nico Golde wrote: > I agree that it is of a low impact but I disagree that this > is not a security issue, people are using reportbug in /tmp and I don't see > a reason to assume people are not doing that. The chance of succesful exploitation still seems very small, and indeed even then the problem is limited to just a regular user account. It's good that Sandro is fixing the bug directly so I'm not going to argue over bug severity, but I'm marking it as no-dsa for stable. Thijs -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#484311: reportbug adds os.curdir to sys.path
# Bcc: control tags 484311 + patch thanks On 08/06/04 16:51 +0530, Y Giridhar Appaji Nag said ... > Chris, can you confirm that this is case? We can remove os.curdir or add it > as the last entry in sys.path. > > As an aside, I noticed that /usr/share/reportbug is added to sys.path once > again in __main__ in reportbug_submit.py. > > And in querybts too: Attached patch. This can be modified -- the parts in the patch that change sys.path.append should be removed -- for a minimally modified reportbug for the security upload queues. Giridhar -- Y Giridhar Appaji Nag | http://appaji.net/ Index: querybts === --- querybts (revision 517) +++ querybts (working copy) @@ -25,7 +25,7 @@ # $Id: querybts,v 1.7.2.3 2008-04-18 05:38:27 lawrencc Exp $ import sys, os -sys.path = [os.curdir, '/usr/share/reportbug'] + sys.path +sys.path = ['/usr/share/reportbug'] + sys.path + [os.curdir] from reportbug_exceptions import * Index: reportbug_submit.py === --- reportbug_submit.py (revision 517) +++ reportbug_submit.py (working copy) @@ -30,7 +30,7 @@ from reportbug import VERSION, VERSION_NUMBER import os -sys.path = [os.curdir, '/usr/share/reportbug'] + sys.path +sys.path = ['/usr/share/reportbug'] + sys.path + [os.curdir] import re import commands @@ -484,7 +484,6 @@ 'o' if __name__ == '__main__': -sys.path.append('/usr/share/reportbug') try: main() except KeyboardInterrupt: Index: reportbug === --- reportbug (revision 522) +++ reportbug (working copy) @@ -1798,7 +1798,6 @@ return if __name__ == '__main__': -sys.path.append('/usr/share/reportbug') try: main() except KeyboardInterrupt: signature.asc Description: Digital signature
Bug#484311: reportbug adds os.curdir to sys.path
Hi all, >> > sys.path = [os.curdir, '/usr/share/reportbug'] + sys.path >> > >> > To "exploit": >> > $ echo 'raise "FOO"' > token.py >> > $ reportbug >> >> Can you explain how this is a practical user security hole? Your exploit >> shows how to "exploit yourself", but it seems very unlikely to me that an >> attacker can >> 1) create a file token.py >> 2) make sure the user is in that curdir >> 3) AND invoke reportbug. >> >> That seems rather contrived to me. > > I agree that it is of a low impact but I disagree that this > is not a security issue, people are using reportbug in /tmp > and I don't see a reason to assume people are not doing > that. Thanks a lot for the promptly support! I'm currently at work, with no svn (+ssh keys) access: once at home I'll prepare an upload for reportbug fixing this issue; just for reference, I'll remove all os.curdir from list below: $ grep sys.path * querybts:sys.path = [os.curdir, '/usr/share/reportbug'] + sys.path reportbug:sys.path = ['/usr/share/reportbug'] + sys.path reportbug:sys.path.append('/usr/share/reportbug') reportbug.py:for d in sys.path: reportbug_submit.py:sys.path = [os.curdir, '/usr/share/reportbug'] + sys.path reportbug_submit.py:sys.path.append('/usr/share/reportbug') Kindly, Sandro PS: link to CVE: http://security-tracker.debian.net/tracker/CVE-2008-2230 -- Sandro Tosi (aka morph, Morpheus, matrixhasu) My website: http://matrixhasu.altervista.org/ Me at Debian: http://wiki.debian.org/SandroTosi -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#484311: reportbug adds os.curdir to sys.path
On 08/06/03 18:26 +0200, Thomas Arendsen Hein said ... > sys.path = [os.curdir, '/usr/share/reportbug'] + sys.path It looks like os.curdir has been added to sys.path only for temporary debugging purposes (code modified in local directory and wanting to test it without installing reportbug). Chris, can you confirm that this is case? We can remove os.curdir or add it as the last entry in sys.path. As an aside, I noticed that /usr/share/reportbug is added to sys.path once again in __main__ in reportbug_submit.py. And in querybts too: 27 import sys, os 28 sys.path = [os.curdir, '/usr/share/reportbug'] + sys.path Cheers, Giridhar -- Y Giridhar Appaji Nag | http://appaji.net/ signature.asc Description: Digital signature
Bug#484311: reportbug adds os.curdir to sys.path
Hi Thijs, * Thijs Kinkhorst <[EMAIL PROTECTED]> [2008-06-04 12:52]: > On Tue, June 3, 2008 18:26, Thomas Arendsen Hein wrote: > > Package: reportbug > > Version: 3.31 > > Severity: grave > > Tags: security > > Justification: user security hole > > > > > > sys.path = [os.curdir, '/usr/share/reportbug'] + sys.path > > > > To "exploit": > > $ echo 'raise "FOO"' > token.py > > $ reportbug > > Can you explain how this is a practical user security hole? Your exploit > shows how to "exploit yourself", but it seems very unlikely to me that an > attacker can > 1) create a file token.py > 2) make sure the user is in that curdir > 3) AND invoke reportbug. > > That seems rather contrived to me. I agree that it is of a low impact but I disagree that this is not a security issue, people are using reportbug in /tmp and I don't see a reason to assume people are not doing that. Cheers Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted. pgp4JgON3z7H0.pgp Description: PGP signature
Bug#484311: reportbug adds os.curdir to sys.path
Hi, On Tue, June 3, 2008 18:26, Thomas Arendsen Hein wrote: > Package: reportbug > Version: 3.31 > Severity: grave > Tags: security > Justification: user security hole > > > sys.path = [os.curdir, '/usr/share/reportbug'] + sys.path > > To "exploit": > $ echo 'raise "FOO"' > token.py > $ reportbug Can you explain how this is a practical user security hole? Your exploit shows how to "exploit yourself", but it seems very unlikely to me that an attacker can 1) create a file token.py 2) make sure the user is in that curdir 3) AND invoke reportbug. That seems rather contrived to me. Thijs -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#484311: reportbug adds os.curdir to sys.path
Hi Thomas, * Thomas Arendsen Hein <[EMAIL PROTECTED]> [2008-06-03 18:51]: [...] > sys.path = [os.curdir, '/usr/share/reportbug'] + sys.path > > To "exploit": [...] Please use CVE-2008-2230 if you fix this bug and reference this CVE id in the changelog when closing the bug. Cheers Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted. pgprLpOmYvsd4.pgp Description: PGP signature
Bug#484311: reportbug adds os.curdir to sys.path
Package: reportbug Version: 3.31 Severity: grave Tags: security Justification: user security hole sys.path = [os.curdir, '/usr/share/reportbug'] + sys.path To "exploit": $ echo 'raise "FOO"' > token.py $ reportbug Traceback (most recent call last): File "/usr/bin/reportbug", line 39, in ? import optparse, re, os, pwd, time, locale, commands, checkversions File "/usr/lib/python2.4/optparse.py", line 73, in ? from gettext import gettext as _ File "/usr/lib/python2.4/gettext.py", line 49, in ? import locale, copy, os, re, struct, sys File "/usr/lib/python2.4/copy.py", line 65, in ? import inspect File "/usr/lib/python2.4/inspect.py", line 31, in ? import sys, os, types, string, re, dis, imp, tokenize, linecache File "/usr/lib/python2.4/tokenize.py", line 30, in ? from token import * File "./token.py", line 1, in ? raise "FOO" FOO -- Package-specific info: ** Environment settings: EDITOR="vim" EMAIL="Thomas Arendsen Hein <[EMAIL PROTECTED]>" ** /home/thomas/.reportbugrc: mutt email "[EMAIL PROTECTED]" realname "Thomas Arendsen Hein" -- System Information: Debian Release: 4.0 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.24.3-id1-k8-2 Locale: LANG=en_US, [EMAIL PROTECTED] (charmap=ISO-8859-15) Versions of packages reportbug depends on: ii python2.4.4-2An interactive high-level object-o ii python-central0.5.12 register and build utility for Pyt Versions of packages reportbug recommends: pn python-cjkcodecs | python-ico (no description available) -- no debconf information -- [EMAIL PROTECTED] - http://intevation.de/~thomas/ - OpenPGP key: 0x5816791A Intevation GmbH, Osnabrueck - Register: Amtsgericht Osnabrueck, HR B 18998 Geschaeftsfuehrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]