Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Fri, 30 Jan 2009 13:56:25 +0100
From: Jan Lieskovsky <jlieskov@...hat.com>
To: "Steven M. Christey" <coley@...us.mitre.org>,
        Robert Buchholz <rbu@...too.org>
Cc: oss-security <oss-security@...ts.openwall.com>
Subject: Re: CVE request -- Python < 2.6 PySys_SetArgv
	issues (epiphany, csound, dia, eog, gedit, xchat, vim, nautilus-python,
	Gnumeric)

Hello again Steve,

  got couple of points to discuss yet:

  1, thanks! for all the CVEs (probably more reports still
to come, since currently still investigating all
the F10 srpms code in Everything repo to ensure we didn't
miss something). Recommending other distros to behave in
similar way.

  2, 

> Do you have any upstream bug ID's for the Python bug itself, or some
> Python mailing list?  I'd like to capture that issue there, if possible.
> 
> I'm using CVE-2008-5983 to help track the Python bug itself.
> 

Not aware of any upstream Python bug report
yet (there are still some obstacles with the patch :(,
so it seems the upstream root Python issue fix can not
be expected any time soon (that's why we reported this issue
in most affected applications/packages at least).

Current RH status can be seen here:

https://bugzilla.redhat.com/show_bug.cgi?id=482814#c1 and here:
https://bugzilla.redhat.com/show_bug.cgi?id=482814#c4 and here:
https://bugzilla.redhat.com/show_bug.cgi?id=482814#c5

For testing purposes it is possible to use Ray Strode's test case
from:

https://bugzilla.redhat.com/show_bug.cgi?id=481556#c8

The Python upstream bug report will follow as soon as we will
find a patch, which would resolve also the 'sub-modules,
which are in more than a one file' ('import utils' example) case.

3, The original CVE-2008-5983 description will need modification.
Robert is right, this issue is still present also in Python
2.6 (even absolute imports didn't resolve it). For more
details please proceed to:

http://www.openwall.com/lists/oss-security/2009/01/28/5 and to:
https://bugzilla.redhat.com/show_bug.cgi?id=482814#c1

So please update the text of CVE-2008-5983 to state:

"... in Python prepends an empty string to sys.path ...".

Thanks && regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team


On Tue, 2009-01-27 at 21:38 -0500, Steven M. Christey wrote:
> On Mon, 26 Jan 2009, Jan Lieskovsky wrote:
> 
> > Though this is a Python flaw (insertion of cwd at the
> > beginning of the Python modules search path), according to our Python
> > maintainers it can't be fixed on Python's side due the need
> > of ensuring the work of other numerous packages, when loading
> > Python modules.
> 
> This was a bit of a pain CVE-wise, though  I suspect it was less painful
> than what the maintainers are going through.
> 
> It seems fair to label the Python bug separately as an instance of
> CWE-684: Failure to Provide Specified Functionality (or some other "API
> Abuse CWE-227 problem).  Then we could assign separate CVE's for the
> others ("failure to work around a known issue in the underlying
> interpreter").  I'm always worried about these kinds of things producing
> mass amounts of CVE's, and it doesn't seem fair to those applications -
> but given that Python upstream can't/won't fix the issue, this seems the
> best approach, since the apps will have to be patched themselves.
> 
> Do you have any upstream bug ID's for the Python bug itself, or some
> Python mailing list?  I'd like to capture that issue there, if possible.
> 
> I'm using CVE-2008-5983 to help track the Python bug itself.
> 
> For the individual apps:
> 
> CVE-2008-5984 - Dia
> CVE-2008-5985 - Epiphany
> CVE-2008-5986 - Csound
> CVE-2008-5987 - eog
> 
> They all had 2008 CVE's because of James Vega's work in November, which
> was "technically public" at that time.
> 
> The following ones are 2009 because the first disclosure seems to be from
> Jan in the original oss-security post.
> 
> Does anybody have upstream version information for these?  They aren't in
> the Red Hat bug reports, so the descriptions have no versions.
> 
> CVE-2009-0314 - gedit
> CVE-2009-0315 - xchat
> CVE-2009-0316 - vim
> CVE-2009-0317 - Nautilus
> CVE-2009-0318 - Gnumeric
> 
> 
> - Steve

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.