python-rdflib-tools: CVE-2019-7653: Code injection from current working directory

Debian Bug report logs - #921751
python-rdflib-tools: CVE-2019-7653: Code injection from current working directory

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Gabriel Corona <gabriel.corona@enst-bretagne.fr>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: python-rdflib-tools: Code injection from current working directory

Date: Fri, 08 Feb 2019 21:49:07 +0100

Package: python-rdflib-tools
Version: 4.2.2-1
Severity: normal
Tags: security

The CLI tools in python-rdflib-tools can from load python modules
found in the current directory. This happens because "python -m"
appends the current directory in the python path.

    $ echo 'print("Something")' > cgi.py
    $ rdf2dot
    INFO:rdflib:RDFLib Version: 4.2.2
    Something
    Reading from stdin as None...

The local cgi.py file is loaded instead of the system one.

There are probably other instances of this in the Debian
archive. Constructs such as:

  python -m "$some_module"
  python -c "$some_code"
  $some_command | python

can lead to code injection from current working directory


-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (500, 'testing'), (500, 'stable'), (90, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.19.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8), LANGUAGE=fr_FR.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages python-rdflib-tools depends on:
ii  python         2.7.15-4
ii  python-rdflib  4.2.2-1

python-rdflib-tools recommends no packages.

python-rdflib-tools suggests no packages.

-- no debconf information

Message #14 received at 921751@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Gabriel Corona <gabriel.corona@enst-bretagne.fr>, 921751@bugs.debian.org

Subject: Re: Bug#921751: python-rdflib-tools: Code injection from current working directory

Date: Sat, 9 Feb 2019 05:13:07 +0100

Control: retitle -1 python-rdflib-tools: CVE-2019-7653: Code injection from current working directory

Hi Gabriel!

On Fri, Feb 08, 2019 at 09:49:07PM +0100, Gabriel Corona wrote:
> Package: python-rdflib-tools
> Version: 4.2.2-1
> Severity: normal
> Tags: security
> 
> The CLI tools in python-rdflib-tools can from load python modules
> found in the current directory. This happens because "python -m"
> appends the current directory in the python path.
> 
>     $ echo 'print("Something")' > cgi.py
>     $ rdf2dot
>     INFO:rdflib:RDFLib Version: 4.2.2
>     Something
>     Reading from stdin as None...
> 
> The local cgi.py file is loaded instead of the system one.
> 
> There are probably other instances of this in the Debian
> archive. Constructs such as:
> 
>   python -m "$some_module"
>   python -c "$some_code"
>   $some_command | python
> 
> can lead to code injection from current working directory

MITRE has assigned CVE-2019-7653 for this issue.

For those following the bug, this likely does not affect the upstream
project itself and is Debian specifc, as the Debian packaging AFAICS
replaces the respective scripts/tools by wrappers invoking python -m
as described by Gabriel (please correct me if I'm wrong).

Regards,
Salvatore

Message #21 received at 921751@bugs.debian.org (full text, mbox, reply):

From: chrysn <chrysn@fsfe.org>

To: 921751@bugs.debian.org, Andreas Tille <tille@debian.org>, Ondřej Nový <onovy@debian.org>

Subject: Re: Bug#921751: python-rdflib-tools: CVE-2019-7653: Code injection from current working directory working directory

Date: Thu, 14 Feb 2019 17:24:48 +0100

[Message part 1 (text/plain, inline)]

On Sat, Feb 09, 2019 at 05:13:07AM +0100, Salvatore Bonaccorso wrote:
> For those following the bug, this likely does not affect the upstream
> project itself and is Debian specifc, as the Debian packaging AFAICS
> replaces the respective scripts/tools by wrappers invoking python -m
> as described by Gabriel (please correct me if I'm wrong).

I've updated the package's source to avoid the issue by using the
wrappers that setup.py/easy_install provides rather than making our own
in Debian.

I can't directly push to the source right now (but have a PR pending at
[1]) and can't upload (as I don't have DMUA on that package).

Andreas or Ondřej, could you do pull that in and do a team upload on
this? (I can prepare a full DM upload to be sponsered, but it's my
impression that team uploads are the easier way to go about this now).

Best regards
Christian

[1]: https://salsa.debian.org/debian/rdflib/merge_requests/1

[signature.asc (application/pgp-signature, inline)]

Message #26 received at 921751@bugs.debian.org (full text, mbox, reply):

From: Andreas Tille <andreas@fam-tille.de>

To: chrysn <chrysn@fsfe.org>

Cc: 921751@bugs.debian.org, Ondřej Nový <onovy@debian.org>

Subject: Re: Bug#921751: python-rdflib-tools: CVE-2019-7653: Code injection from current working directory working directory

Date: Fri, 15 Feb 2019 09:11:11 +0100

On Thu, Feb 14, 2019 at 05:24:48PM +0100, chrysn wrote:
> 
> I can't directly push to the source right now (but have a PR pending at
> [1]) and can't upload (as I don't have DMUA on that package).

Hmmm, I can not merge either.  What about moving that repository to
Debian Python Modules team?
 
> Andreas or Ondřej, could you do pull that in and do a team upload on
> this? (I can prepare a full DM upload to be sponsered, but it's my
> impression that team uploads are the easier way to go about this now).

I prefer to sponsor right from the Git repository but a repository where
neither the Maintainer nor its sponsor can write to is just insane and
DPMT seems the natural team that package belongs to.

Thanks for your work on this package anyway

      Andreas.
 
> [1]: https://salsa.debian.org/debian/rdflib/merge_requests/1



-- 
http://fam-tille.de

Message #31 received at 921751@bugs.debian.org (full text, mbox, reply):

From: chrysn <chrysn@fsfe.org>

To: Andreas Tille <andreas@fam-tille.de>

Cc: 921751@bugs.debian.org

Subject: Re: Bug#921751: python-rdflib-tools: CVE-2019-7653: Code injection from current working directory working directory

Date: Fri, 15 Feb 2019 09:28:08 +0100

[Message part 1 (text/plain, inline)]

On Fri, Feb 15, 2019 at 09:11:11AM +0100, Andreas Tille wrote:
> On Thu, Feb 14, 2019 at 05:24:48PM +0100, chrysn wrote:
> > 
> > I can't directly push to the source right now (but have a PR pending at
> > [1]) and can't upload (as I don't have DMUA on that package).
> 
> Hmmm, I can not merge either.  What about moving that repository to
> Debian Python Modules team?

That's odd given you created the repo – but yes, I'm fine with it being
in DPMT as well, and will request it transferred (that'll only work via
the alioth admins).

I used to be member of the DPMT group back on Alioth[2], can you add me on
salsa? Then I can make the package ready for sponsor-upload-from-git
once moved.

Thanks
Christian

[2]: https://lists.debian.org/debian-python/2016/11/msg00048.html

[signature.asc (application/pgp-signature, inline)]

Message #36 received at 921751@bugs.debian.org (full text, mbox, reply):

From: Andreas Tille <andreas@fam-tille.de>

To: chrysn <chrysn@fsfe.org>

Cc: 921751@bugs.debian.org, Ondřej Nový <onovy@debian.org>

Subject: Re: Bug#921751: python-rdflib-tools: CVE-2019-7653: Code injection from current working directory working directory

Date: Fri, 15 Feb 2019 10:54:25 +0100

Hi Christian,

On Fri, Feb 15, 2019 at 09:28:08AM +0100, chrysn wrote:
> On Fri, Feb 15, 2019 at 09:11:11AM +0100, Andreas Tille wrote:
> > On Thu, Feb 14, 2019 at 05:24:48PM +0100, chrysn wrote:
> > > 
> > > I can't directly push to the source right now (but have a PR pending at
> > > [1]) and can't upload (as I don't have DMUA on that package).
> > 
> > Hmmm, I can not merge either.  What about moving that repository to
> > Debian Python Modules team?
> 
> That's odd given you created the repo – but yes, I'm fine with it being
> in DPMT as well, and will request it transferred (that'll only work via
> the alioth admins).

Yes, that's really odd.  I tried via Salsa web interface which does not
enable the "Merge" button.  When trying to do it manually the last step
fails:

  $ git push origin debian
GitLab: You are not allowed to push code to this project.
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.


What is also strange: If I go to the original location on Salsa web
interface I see a hint:

  Project 'debian/rdflib' was moved to 'python-team/rdflib'. Please update any links and bookmarks that may still have the old path.

So it was somehow moved but definitely to a wrong location (that should
be rather python-team/modules/rdflib).

> I used to be member of the DPMT group back on Alioth[2], can you add me on
> salsa? Then I can make the package ready for sponsor-upload-from-git
> once moved.

Sorry, I can't for DPMT but I think Ondřej (re-added to CC) can.

Kind regards

      Andreas.
 
> [2]: https://lists.debian.org/debian-python/2016/11/msg00048.html



-- 
http://fam-tille.de

Message #41 received at 921751@bugs.debian.org (full text, mbox, reply):

From: chrysn <chrysn@fsfe.org>

To: Andreas Tille <andreas@fam-tille.de>, 921751@bugs.debian.org

Subject: Re: Bug#921751: python-rdflib-tools: CVE-2019-7653: Code injection from current working directory working directory

Date: Fri, 15 Feb 2019 16:04:31 +0100

[Message part 1 (text/plain, inline)]

> So it was somehow moved but definitely to a wrong location (that should
> be rather python-team/modules/rdflib).

yes, that was a mistake when moving the module and is now fixed.

> I used to be member of the DPMT group back on Alioth[2], can you add me on
> salsa? Then I can make the package ready for sponsor-upload-from-git
> once moved.

I've incorporated the changes from the move and an update to
standards-version, and set the changelog to indicate release readiness.
Would you sponsor the latest version (81346975) of [1] to close this
issue?

Thanks
Christian

[1]: https://salsa.debian.org/python-team/modules/rdflib

[signature.asc (application/pgp-signature, inline)]

Message #46 received at 921751@bugs.debian.org (full text, mbox, reply):

From: Andreas Tille <tille@debian.org>

To: chrysn <chrysn@fsfe.org>

Cc: 921751@bugs.debian.org

Subject: Re: Bug#921751: python-rdflib-tools: CVE-2019-7653: Code injection from current working directory working directory

Date: Fri, 15 Feb 2019 20:24:22 +0100

On Fri, Feb 15, 2019 at 04:04:31PM +0100, chrysn wrote:
> 
> > I used to be member of the DPMT group back on Alioth[2], can you add me on
> > salsa? Then I can make the package ready for sponsor-upload-from-git
> > once moved.
> 
> I've incorporated the changes from the move and an update to
> standards-version, and set the changelog to indicate release readiness.
> Would you sponsor the latest version (81346975) of [1] to close this
> issue?

I have uploaded with an additional change to set DPMT as Maintainer
and you as Uploader since this is policy if you are maintaining in
this repository tree.

Thanks for working on this

       Andreas.

> [1]: https://salsa.debian.org/python-team/modules/rdflib

-- 
http://fam-tille.de

Message #51 received at 921751-close@bugs.debian.org (full text, mbox, reply):

From: chrysn@fsfe.org (Christian M. Amsüss)

To: 921751-close@bugs.debian.org

Subject: Bug#921751: fixed in rdflib 4.2.2-2

Date: Fri, 15 Feb 2019 19:35:33 +0000

Source: rdflib
Source-Version: 4.2.2-2

We believe that the bug you reported is fixed in the latest version of
rdflib, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 921751@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Christian M. Amsüss <chrysn@fsfe.org> (supplier of updated rdflib package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 15 Feb 2019 15:50:18 +0100
Source: rdflib
Architecture: source
Version: 4.2.2-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>
Changed-By: Christian M. Amsüss <chrysn@fsfe.org>
Closes: 917913 921751
Changes:
 rdflib (4.2.2-2) unstable; urgency=medium
 .
   [ Ondřej Nový ]
   * d/control: Remove ancient X-Python(3)-Version fields
   * d/changelog: Remove trailing whitespaces
 .
   [ Christian Amsüss ]
   * tools:
     - Use easy_install provided scripts (CVE-2019-7653, closes: #921751)
     - Use Python 3
   * d/control:
     - Update Standards-Version to 4.3.0 (no further changes)
     - Remove retired Olivier Berger from uploaders (closes: #917913)
     - Update salsa location
   * d/patches: Acknowledge that pyparsinglatest.patch is not required any more
   * Add bsddb3 and rdflib-jsonld to test dependencies
     - Disable broken tests for rdflib-jsonld at build time
Checksums-Sha1:
 50812e90e3bc74262b2771e4f36f4cced886cfb1 3084 rdflib_4.2.2-2.dsc
 b731f212c620c299add8eb14f70872659798c9ee 28760 rdflib_4.2.2-2.debian.tar.xz
 f79d0d8a9f129e493da141acf23328c4f78d71ec 8803 rdflib_4.2.2-2_amd64.buildinfo
Checksums-Sha256:
 9840ad126cc4387ba97051f2fa1713b301a8e57578aff59e30df52e524563f6f 3084 rdflib_4.2.2-2.dsc
 dfc2f37a9619976023361a64c717b62d920df956a7c1bc8eeb7ff94634f60c97 28760 rdflib_4.2.2-2.debian.tar.xz
 3d54308530b6a0dd42deb84311dbf1ff49ad8fe8dd426b0dfc0604735e6f605b 8803 rdflib_4.2.2-2_amd64.buildinfo
Files:
 c6291b837c791f34a89446395cb38d95 3084 python optional rdflib_4.2.2-2.dsc
 e1f291c8a981a71dbfd7b1a83c45d86e 28760 python optional rdflib_4.2.2-2.debian.tar.xz
 67a4f90f45acce40dce2fb974f1dbbee 8803 python optional rdflib_4.2.2-2_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJCBAEBCgAsFiEE8fAHMgoDVUHwpmPKV4oElNHGRtEFAlxnDfEOHHRpbGxlYUBy
a2kuZGUACgkQV4oElNHGRtE8BQ/8Cu+1vYnVZGDPEcI8OES+Og11HzkGdGhqJLnY
VopDA17D6wapUohnkBfqQt4X7ximoqEtRF6moZKcnruOa56xwCI7zIzTGTy6TV4N
wVRnl56DWuOENFaGKNsR4Ikfl94Ij7eoRwb82cqmpsJbMiKY719sWkJqCuOjOYs+
+e47QryFcqXtvJIoCVOfptNR3RO4IPx21h4lqgIn1QH8k6mYQYxzx0aArPUAWZLM
N7+nOEatsol6ah4VV/7pGX4sIRn+UCZnFeMzlLbiJQnr4n5f82bvy2VkdReMeTGh
Ti9Um47Q+R76iGx0idAyYzPum8xSBbi9jcucp2KvZ+i90l3SEc9uJpYh43f08Prw
wxVKjGMzmFoIwwTLDx5pi8cMYdfwXQKW3wuj6AIrss3HQEcUOwykL+TlutvqtLLf
cEPB2VVoYDivWukzZj1iPI7Ppj42jcDyxK7LJ8FO2BEsbM1SDUP5u1hhXN/RN0+9
aHQ0pCMJmND4BEeHfUCWnXvN8PYmnWD9+rmB6CxTLhUwVzvlo0lsJLCLyLvxIS9Z
eqalVud3E52LVh4nOlIx2O6iJKCe5+ebqkhL/pnTgmuHdYkXyGBqmwjGdbkS1EYU
I0jmkXzSU+b29BpGc/Y/xrK59SnJU1taZzvPziaLTXE6uctun1jxyqGmZHqU5BPc
ADEPH6Q=
=q79+
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.