Potentially insecure dependency loading
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Glance |
Invalid
|
Undecided
|
Unassigned | ||
OpenStack Object Storage (swift) |
Invalid
|
Undecided
|
Unassigned |
Bug Description
Grant Murphy and Dhiru Kholia from Red Hat Product Security Team reported the following potential issue. This is actually a setuptools issue but which we may be able to workaround, if we end up being affected:
---
A security flaw was found in the way Python Setuptools, a collection of enhancements to the Python distutils module, that allows more easily to build and distribute Python packages, performed integrity checks when loading external resources, previously extracted from zipped Python Egg archives(formerly if the timestamp and file size of a particular resource expanded from the archive matched the original values, the resource was successfully loaded). A local attacker, with write permission into the Python's EGG cache (directory) could use this flaw to provide a specially-crafted resource (in expanded form) that, when loaded in an application requiring that resource to (be able to) run, would lead to arbitrary code execution with the privileges of the user running the application.
It seems to be pretty common for Python applications to do something like os.evironment[
If the dependency contains a .so Python must unpack it into the cache directory to be able to load it. However if an attacker pre-emptively places a .so in the same location as long as the file has the same timestamp and file size it will be loaded.
---
Glance and Swift both set PYTHON_EGG_CACHE to '/tmp' :
./glance/
./swift/
If we are immediately vulnerable to this (i.e. if stuff loaded from those commands contains an .so, if I understand correctly), we could workaround it by setting it to /tmp/secure-
Changed in ossa: | |
status: | New → Incomplete |
information type: | Private Security → Public |
tags: | added: security |
no longer affects: | ossa |
Changed in swift: | |
status: | New → Invalid |
We could just mkstemp that env variable right?