Date: Fri, 30 Jan 2009 13:56:25 +0100 From: Jan Lieskovsky <jlieskov@...hat.com> To: "Steven M. Christey" <coley@...us.mitre.org>, Robert Buchholz <rbu@...too.org> Cc: oss-security <oss-security@...ts.openwall.com> Subject: Re: CVE request -- Python < 2.6 PySys_SetArgv issues (epiphany, csound, dia, eog, gedit, xchat, vim, nautilus-python, Gnumeric) Hello again Steve, got couple of points to discuss yet: 1, thanks! for all the CVEs (probably more reports still to come, since currently still investigating all the F10 srpms code in Everything repo to ensure we didn't miss something). Recommending other distros to behave in similar way. 2, > Do you have any upstream bug ID's for the Python bug itself, or some > Python mailing list? I'd like to capture that issue there, if possible. > > I'm using CVE-2008-5983 to help track the Python bug itself. > Not aware of any upstream Python bug report yet (there are still some obstacles with the patch :(, so it seems the upstream root Python issue fix can not be expected any time soon (that's why we reported this issue in most affected applications/packages at least). Current RH status can be seen here: https://bugzilla.redhat.com/show_bug.cgi?id=482814#c1 and here: https://bugzilla.redhat.com/show_bug.cgi?id=482814#c4 and here: https://bugzilla.redhat.com/show_bug.cgi?id=482814#c5 For testing purposes it is possible to use Ray Strode's test case from: https://bugzilla.redhat.com/show_bug.cgi?id=481556#c8 The Python upstream bug report will follow as soon as we will find a patch, which would resolve also the 'sub-modules, which are in more than a one file' ('import utils' example) case. 3, The original CVE-2008-5983 description will need modification. Robert is right, this issue is still present also in Python 2.6 (even absolute imports didn't resolve it). For more details please proceed to: http://www.openwall.com/lists/oss-security/2009/01/28/5 and to: https://bugzilla.redhat.com/show_bug.cgi?id=482814#c1 So please update the text of CVE-2008-5983 to state: "... in Python prepends an empty string to sys.path ...". Thanks && regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team On Tue, 2009-01-27 at 21:38 -0500, Steven M. Christey wrote: > On Mon, 26 Jan 2009, Jan Lieskovsky wrote: > > > Though this is a Python flaw (insertion of cwd at the > > beginning of the Python modules search path), according to our Python > > maintainers it can't be fixed on Python's side due the need > > of ensuring the work of other numerous packages, when loading > > Python modules. > > This was a bit of a pain CVE-wise, though I suspect it was less painful > than what the maintainers are going through. > > It seems fair to label the Python bug separately as an instance of > CWE-684: Failure to Provide Specified Functionality (or some other "API > Abuse CWE-227 problem). Then we could assign separate CVE's for the > others ("failure to work around a known issue in the underlying > interpreter"). I'm always worried about these kinds of things producing > mass amounts of CVE's, and it doesn't seem fair to those applications - > but given that Python upstream can't/won't fix the issue, this seems the > best approach, since the apps will have to be patched themselves. > > Do you have any upstream bug ID's for the Python bug itself, or some > Python mailing list? I'd like to capture that issue there, if possible. > > I'm using CVE-2008-5983 to help track the Python bug itself. > > For the individual apps: > > CVE-2008-5984 - Dia > CVE-2008-5985 - Epiphany > CVE-2008-5986 - Csound > CVE-2008-5987 - eog > > They all had 2008 CVE's because of James Vega's work in November, which > was "technically public" at that time. > > The following ones are 2009 because the first disclosure seems to be from > Jan in the original oss-security post. > > Does anybody have upstream version information for these? They aren't in > the Red Hat bug reports, so the descriptions have no versions. > > CVE-2009-0314 - gedit > CVE-2009-0315 - xchat > CVE-2009-0316 - vim > CVE-2009-0317 - Nautilus > CVE-2009-0318 - Gnumeric > > > - Steve
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ