[Openstack-security] [Bug 1192966] Re: Potentially insecure dependency loading

Thierry Carrez thierry.carrez+lp at gmail.com
Mon Dec 9 16:07:31 UTC 2013


** Information type changed from Private Security to Public

** Tags added: security

-- 
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1192966

Title:
  Potentially insecure dependency loading

Status in OpenStack Image Registry and Delivery Service (Glance):
  New
Status in OpenStack Security Advisories:
  Incomplete
Status in OpenStack Object Storage (Swift):
  New

Bug description:
  Grant Murphy and Dhiru Kholia from Red Hat Product Security Team
  reported the following potential issue. This is actually a setuptools
  issue but which we may be able to workaround, if we end up being
  affected:

  ---
  A security flaw was found in the way Python Setuptools, a collection of enhancements to the Python distutils module, that allows more easily to build and distribute Python packages, performed integrity checks when loading external resources, previously extracted from zipped Python Egg archives(formerly if the timestamp and file size of a particular resource expanded from the archive matched the original values, the resource was successfully loaded). A local attacker, with write permission into the Python's EGG cache (directory) could use this flaw to provide a specially-crafted resource (in expanded form) that, when loaded in an application requiring that resource to (be able to) run, would lead to arbitrary code execution with the privileges of the user running the application.

  It seems to be pretty common for Python applications to do something
  like os.evironment['PYTHON_EGG_CACHE'] = /tmp, prior to importing
  dependencies.

  If the dependency contains a .so Python must unpack it into the cache directory to be able to load it. However if an attacker pre-emptively places a .so in the same location as long as the file has the same timestamp and file size it will be loaded.
  ---

  Glance and Swift both set PYTHON_EGG_CACHE to '/tmp' :
  ./glance/glance/cmd/control.py:        os.environ['PYTHON_EGG_CACHE'] = '/tmp'
  ./swift/swift/common/manager.py:    os.environ['PYTHON_EGG_CACHE'] = '/tmp'

  If we are immediately vulnerable to this (i.e. if stuff loaded from
  those commands contains an .so, if I understand correctly), we could
  workaround it by setting it to /tmp/secure-dir-XXXXXX/ until
  setuptools upstream fixes this.

To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1192966/+subscriptions




More information about the Openstack-security mailing list