** Changed in: swift
Status: New => Invalid
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Glance.
https://bugs.launchpad.net/bugs/1192966
Title:
Potentially insecure dependency loading
Status in OpenStack Image Registry and Delivery Service (Glance):
Invalid
Status in OpenStack Object Storage (Swift):
Invalid
Bug description:
Grant Murphy and Dhiru Kholia from Red Hat Product Security Team
reported the following potential issue. This is actually a setuptools
issue but which we may be able to workaround, if we end up being
affected:
---
A security flaw was found in the way Python Setuptools, a collection of
enhancements to the Python distutils module, that allows more easily to build
and distribute Python packages, performed integrity checks when loading
external resources, previously extracted from zipped Python Egg
archives(formerly if the timestamp and file size of a particular resource
expanded from the archive matched the original values, the resource was
successfully loaded). A local attacker, with write permission into the Python's
EGG cache (directory) could use this flaw to provide a specially-crafted
resource (in expanded form) that, when loaded in an application requiring that
resource to (be able to) run, would lead to arbitrary code execution with the
privileges of the user running the application.
It seems to be pretty common for Python applications to do something
like os.evironment['PYTHON_EGG_CACHE'] = /tmp, prior to importing
dependencies.
If the dependency contains a .so Python must unpack it into the cache
directory to be able to load it. However if an attacker pre-emptively places a
.so in the same location as long as the file has the same timestamp and file
size it will be loaded.
---
Glance and Swift both set PYTHON_EGG_CACHE to '/tmp' :
./glance/glance/cmd/control.py: os.environ['PYTHON_EGG_CACHE'] = '/tmp'
./swift/swift/common/manager.py: os.environ['PYTHON_EGG_CACHE'] = '/tmp'
If we are immediately vulnerable to this (i.e. if stuff loaded from
those commands contains an .so, if I understand correctly), we could
workaround it by setting it to /tmp/secure-dir-XXXXXX/ until
setuptools upstream fixes this.
To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1192966/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : [email protected]
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
