python-virtualenv: insecure /tmp file handling

Debian Bug report logs - #652653
python-virtualenv: insecure /tmp file handling

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: python-virtualenv: insecure /tmp file handling

Date: Mon, 19 Dec 2011 17:19:29 +0100

Package: python-virtualenv
Version: 1.4.9-3
Severity: grave
Tags: patch

Hi,
it was discovered that python-virtualenv is handling /tmp files in an insecure manner.
The following patch fixed this problem:
https://bitbucket.org/ianb/virtualenv/changeset/8be37c509fe5

A CVE id for this issue has been requested.

Kind regards
Nico

Message #12 received at 652653@bugs.debian.org (full text, mbox, reply):

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

To: 652653@bugs.debian.org

Cc: piotr@debian.org, Nico Golde <nion@debian.org>, debian-release@lists.debian.org

Subject: Re: Bug#652653: python-virtualenv: insecure /tmp file handling

Date: Mon, 19 Dec 2011 22:32:38 +0000

Hi,

On Mon, 2011-12-19 at 17:19 +0100, Nico Golde wrote:
> it was discovered that python-virtualenv is handling /tmp files in an insecure manner.
> The following patch fixed this problem:
> https://bitbucket.org/ianb/virtualenv/changeset/8be37c509fe5

I noticed that an upload which appears to fix this issue (although
without reference the bug number) has appeared in p-u-NEW.  Whilst
that's an admirable turn-around :-) it really should have been discussed
with the SRMs first, rather than simply uploading (I believe this is
well documented enough by now - if not, please point out where and how
we could make it clearer).

Looking at the diff, and the equivalent code in the unstable package,
there seems to be a missing component - namely, that the directory
created via mkdtemp() is never cleaned up.  Am I missing something, or
does fixing this issue result in orphaned temporary directories?

Regards,

Adam

Message #17 received at 652653@bugs.debian.org (full text, mbox, reply):

From: Piotr Ożarowski <piotr@debian.org>

To: 652653@bugs.debian.org

Cc: Nico Golde <nion@debian.org>, debian-release@lists.debian.org

Subject: Re: Bug#652653: python-virtualenv: insecure /tmp file handling

Date: Tue, 20 Dec 2011 09:44:54 +0100

[Adam D. Barratt, 2011-12-19]
> I noticed that an upload which appears to fix this issue (although
> without reference the bug number) has appeared in p-u-NEW.  Whilst

sorry, I didn't notice a bug was reported

> that's an admirable turn-around :-) it really should have been discussed
> with the SRMs first, rather than simply uploading (I believe this is
> well documented enough by now - if not, please point out where and how
> we could make it clearer).

ups, I assumed someone from SRMs is in the thread

> Looking at the diff, and the equivalent code in the unstable package,
> there seems to be a missing component - namely, that the directory
> created via mkdtemp() is never cleaned up.  Am I missing something, or
> does fixing this issue result in orphaned temporary directories?

the old code didn't do it as well, I can update the patch to remove it
-- 
Piotr Ożarowski                         Debian GNU/Linux Developer
www.ozarowski.pl          www.griffith.cc           www.debian.org
GPG Fingerprint: 1D2F A898 58DA AF62 1786 2DF7 AEF6 F1A2 A745 7645

Message #22 received at 652653@bugs.debian.org (full text, mbox, reply):

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

To: Piotr Ożarowski <piotr@debian.org>

Cc: 652653@bugs.debian.org, Nico Golde <nion@debian.org>, debian-release@lists.debian.org

Subject: Re: Bug#652653: python-virtualenv: insecure /tmp file handling

Date: Tue, 20 Dec 2011 20:18:13 +0000

On Tue, 2011-12-20 at 09:44 +0100, Piotr Ożarowski wrote:
> [Adam D. Barratt, 2011-12-19]
> > I noticed that an upload which appears to fix this issue (although
> > without reference the bug number) has appeared in p-u-NEW.  Whilst
> 
> sorry, I didn't notice a bug was reported

No worries.  I assumed the upload was a consequence of the bug report,
given the timing, but obviously not.

> > that's an admirable turn-around :-) it really should have been discussed
> > with the SRMs first, rather than simply uploading (I believe this is
> > well documented enough by now - if not, please point out where and how
> > we could make it clearer).
> 
> ups, I assumed someone from SRMs is in the thread

If the thread involved the security team saying "please fix this via
proposed-updates", there's an implied "by talking to the release team"
attached.  We're generally not involved in such discussions until after
the security team have decided they don't want to issue a DSA for a
particular issue and someone raises it with us.

> > Looking at the diff, and the equivalent code in the unstable package,
> > there seems to be a missing component - namely, that the directory
> > created via mkdtemp() is never cleaned up.  Am I missing something, or
> > does fixing this issue result in orphaned temporary directories?
> 
> the old code didn't do it as well,

Well, trying to remove /tmp would be a silly idea. ;-)

> I can update the patch to remove it

That would be good, although in that case the change should be made in
unstable first (and pushed upstream?).

Regards,

Adam

Message #27 received at 652653@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <debian-release+ml@ngolde.de>

To: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Cc: Piotr O??arowski <piotr@debian.org>, 652653@bugs.debian.org, debian-release@lists.debian.org

Subject: Re: Bug#652653: python-virtualenv: insecure /tmp file handling

Date: Tue, 20 Dec 2011 21:24:28 +0100

[Message part 1 (text/plain, inline)]

Hi,
* Adam D. Barratt <adam@adam-barratt.org.uk> [2011-12-20 21:22]:
> On Tue, 2011-12-20 at 09:44 +0100, Piotr O??arowski wrote:
[...] 
> > > that's an admirable turn-around :-) it really should have been discussed
> > > with the SRMs first, rather than simply uploading (I believe this is
> > > well documented enough by now - if not, please point out where and how
> > > we could make it clearer).
> > 
> > ups, I assumed someone from SRMs is in the thread
> 
> If the thread involved the security team saying "please fix this via
> proposed-updates", there's an implied "by talking to the release team"
> attached.  We're generally not involved in such discussions until after
> the security team have decided they don't want to issue a DSA for a
> particular issue and someone raises it with us.

We will not issue a DSA for this vulnerability. Please go ahead and fix this 
through spu.

Kind regards
Nico
-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0xA0A0AAAA
For security reasons, all text in this mail is double-rot13 encrypted.

[Message part 2 (application/pgp-signature, inline)]

Message #32 received at 652653-done@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <debian-release+ml@ngolde.de>

To: 652653-done@bugs.debian.org

Subject: Re: Bug#652653: python-virtualenv: insecure /tmp file handling

Date: Tue, 20 Dec 2011 21:23:27 +0100

[Message part 1 (text/plain, inline)]

Version: 1.4.9-1

Hi,
* Adam D. Barratt <adam@adam-barratt.org.uk> [2011-12-19 23:35]:
> On Mon, 2011-12-19 at 17:19 +0100, Nico Golde wrote:
> > it was discovered that python-virtualenv is handling /tmp files in an insecure manner.
> > The following patch fixed this problem:
> > https://bitbucket.org/ianb/virtualenv/changeset/8be37c509fe5
> 
> I noticed that an upload which appears to fix this issue (although
> without reference the bug number) has appeared in p-u-NEW.  Whilst
> that's an admirable turn-around :-) it really should have been discussed
> with the SRMs first, rather than simply uploading (I believe this is
> well documented enough by now - if not, please point out where and how
> we could make it clearer).
> 
> Looking at the diff, and the equivalent code in the unstable package,
> there seems to be a missing component - namely, that the directory
> created via mkdtemp() is never cleaned up.  Am I missing something, or
> does fixing this issue result in orphaned temporary directories?

I mark this as fixed in 1.4.9-1. It's true that the patch doesn't clean the 
directory, but since that is not security related I don't mind. lenny/squeeze 
still have the vulnerable code.

Kind regards
Nico
-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0xA0A0AAAA
For security reasons, all text in this mail is double-rot13 encrypted.

[Message part 2 (application/pgp-signature, inline)]

Message #37 received at 652653@bugs.debian.org (full text, mbox, reply):

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

To: Nico Golde <debian-release+ml@ngolde.de>, 652653@bugs.debian.org

Cc: piotr@debian.org, debian-release@lists.debian.org

Subject: Re: Bug#652653: python-virtualenv: insecure /tmp file handling

Date: Tue, 20 Dec 2011 20:31:08 +0000

On Tue, 2011-12-20 at 21:24 +0100, Nico Golde wrote:
> Hi,
> * Adam D. Barratt <adam@adam-barratt.org.uk> [2011-12-20 21:22]:
> > If the thread involved the security team saying "please fix this via
> > proposed-updates", there's an implied "by talking to the release team"
> > attached.  We're generally not involved in such discussions until after
> > the security team have decided they don't want to issue a DSA for a
> > particular issue and someone raises it with us.
> 
> We will not issue a DSA for this vulnerability.

I gathered that now ;-) (although thanks for the explicit answer) - it
was more of a general comment for the future.

Cheers,

Adam

Message #42 received at 652653@bugs.debian.org (full text, mbox, reply):

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

To: Piotr Ożarowski <piotr@debian.org>

Cc: 652653@bugs.debian.org, Nico Golde <nion@debian.org>, debian-release@lists.debian.org

Subject: Re: Bug#652653: python-virtualenv: insecure /tmp file handling

Date: Thu, 12 Jan 2012 21:20:46 +0000

On Tue, 2011-12-20 at 20:18 +0000, Adam D. Barratt wrote:
> On Tue, 2011-12-20 at 09:44 +0100, Piotr Ożarowski wrote:
> > [Adam D. Barratt, 2011-12-19]
> > > Looking at the diff, and the equivalent code in the unstable package,
> > > there seems to be a missing component - namely, that the directory
> > > created via mkdtemp() is never cleaned up.  Am I missing something, or
> > > does fixing this issue result in orphaned temporary directories?
> > 
> > the old code didn't do it as well,
> 
> Well, trying to remove /tmp would be a silly idea. ;-)
> 
> > I can update the patch to remove it
> 
> That would be good, although in that case the change should be made in
> unstable first (and pushed upstream?).

Any news on that?

Regards,

Adam

Message #47 received at 652653@bugs.debian.org (full text, mbox, reply):

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

To: submit@bugs.debian.org

Cc: 652653@bugs.debian.org, debian-release@lists.debian.org

Subject: python-virtualenv: security fix leaves behind orphaned temporary directories

Date: Sat, 25 Feb 2012 19:47:01 +0000

Package: python-virtualenv
Version: 1.6-1

[Let's make this a proper bug report]

On Tue, 2011-12-20 at 20:18 +0000, Adam D. Barratt wrote:
> On Tue, 2011-12-20 at 09:44 +0100, Piotr Ożarowski wrote:
> > [Adam D. Barratt, 2011-12-19]
> > > Looking at the diff, and the equivalent code in the unstable package,
> > > there seems to be a missing component - namely, that the directory
> > > created via mkdtemp() is never cleaned up.  Am I missing something, or
> > > does fixing this issue result in orphaned temporary directories?
> > 
> > the old code didn't do it as well,
> 
> Well, trying to remove /tmp would be a silly idea. ;-)
> 
> > I can update the patch to remove it
> 
> That would be good, although in that case the change should be made in
> unstable first (and pushed upstream?).

Regards,

Adam

Message #52 received at 652653@bugs.debian.org (full text, mbox, reply):

From: Stefano Rivera <stefanor@debian.org>

To: Nico Golde <debian-release+ml@ngolde.de>

Cc: 652653@bugs.debian.org, control@bugs.debian.org

Subject: Re: Bug#652653: python-virtualenv: insecure /tmp file handling

Date: Sun, 22 Apr 2012 16:32:47 +0200

notfixed 652653 1.4.9-1
notfound 652653 1.6-1
fixed 652653 1.6-1
thanks

Hi Nico (2011.12.20_22:23:27_+0200)
> I mark this as fixed in 1.4.9-1. It's true that the patch doesn't clean the 
> directory, but since that is not security related I don't mind. lenny/squeeze 
> still have the vulnerable code.

Err, no, this was only fixed in 1.6.

For the record, the tmp dir cleaning is #661272.

SR

-- 
Stefano Rivera
  http://tumbleweed.org.za/
  H: +27 21 465 6908 C: +27 72 419 8559  UCT: x3127

Message #63 received at 652653@bugs.debian.org (full text, mbox, reply):

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

To: python-modules-team@lists.alioth.debian.org

Cc: 652653@bugs.debian.org, debian-release@lists.debian.org

Subject: Re: Bug#652653: python-virtualenv: insecure /tmp file handling

Date: Wed, 02 May 2012 23:21:24 +0100

On Tue, 2011-12-20 at 20:18 +0000, Adam D. Barratt wrote:
> On Tue, 2011-12-20 at 09:44 +0100, Piotr Ożarowski wrote:
> > [Adam D. Barratt, 2011-12-19]
[...]
> > > Looking at the diff, and the equivalent code in the unstable package,
> > > there seems to be a missing component - namely, that the directory
> > > created via mkdtemp() is never cleaned up.  Am I missing something, or
> > > does fixing this issue result in orphaned temporary directories?
> > 
> > the old code didn't do it as well,
> 
> Well, trying to remove /tmp would be a silly idea. ;-)
> 
> > I can update the patch to remove it
> 
> That would be good, although in that case the change should be made in
> unstable first (and pushed upstream?).

That happened now, as #661272 which was recently fixed in sid (thanks
Stefano!).  In terms of getting stable updated, either a 1.4.9-3squeeze2
package could be prepared incorporating the extra fixes, or we could
reject the original package and fix everything in one upload.  Thoughts?

Regards,

Adam

Message #68 received at 652653@bugs.debian.org (full text, mbox, reply):

From: Stefano Rivera <stefanor@debian.org>

To: "Adam D. Barratt" <adam@adam-barratt.org.uk>, 652653@bugs.debian.org

Cc: piotr@debian.org

Subject: Re: Bug#652653: python-virtualenv: insecure /tmp file handling

Date: Fri, 4 May 2012 20:40:16 +0200

[Message part 1 (text/plain, inline)]

Hi Adam (2012.05.03_00:21:24_+0200)
> That happened now, as #661272 which was recently fixed in sid (thanks
> Stefano!).  In terms of getting stable updated, either a 1.4.9-3squeeze2
> package could be prepared incorporating the extra fixes, or we could
> reject the original package and fix everything in one upload.  Thoughts?

I have prepared an upload to replace the existing one (reject), so that
I could add edit the changelog to close this bug and mention the CVE.

debdiff attached.

SR

-- 
Stefano Rivera
  http://tumbleweed.org.za/
  H: +27 21 465 6908 C: +27 72 419 8559  UCT: x3127

[python-virtualenv_1.4.9-3squeeze1.debdiff (text/plain, attachment)]

Message #73 received at 652653@bugs.debian.org (full text, mbox, reply):

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

To: Stefano Rivera <stefanor@debian.org>

Cc: 652653@bugs.debian.org, piotr@debian.org

Subject: Re: Bug#652653: python-virtualenv: insecure /tmp file handling

Date: Fri, 04 May 2012 20:54:49 +0100

On Fri, 2012-05-04 at 20:40 +0200, Stefano Rivera wrote:
> Hi Adam (2012.05.03_00:21:24_+0200)
> > That happened now, as #661272 which was recently fixed in sid (thanks
> > Stefano!).  In terms of getting stable updated, either a 1.4.9-3squeeze2
> > package could be prepared incorporating the extra fixes, or we could
> > reject the original package and fix everything in one upload.  Thoughts?
> 
> I have prepared an upload to replace the existing one (reject), so that
> I could add edit the changelog to close this bug and mention the CVE.
> 
> debdiff attached.

+Description: Cleanup temporary directory created with mkdtemp()
+ This patch was backported from the cleanup_tmpdirs.patch applied in
1.7.1.2-1
+ .
+ The base64 mess is equivalent to:

Nice. :-)

Please go ahead; thanks.

Regards,

Adam

Message #78 received at 652653-close@bugs.debian.org (full text, mbox, reply):

From: Stefano Rivera <stefanor@debian.org>

To: 652653-close@bugs.debian.org

Subject: Bug#652653: fixed in python-virtualenv 1.4.9-3squeeze1

Date: Sat, 05 May 2012 11:47:08 +0000

Source: python-virtualenv
Source-Version: 1.4.9-3squeeze1

We believe that the bug you reported is fixed in the latest version of
python-virtualenv, which is due to be installed in the Debian FTP archive:

python-virtualenv_1.4.9-3squeeze1.debian.tar.gz
  to main/p/python-virtualenv/python-virtualenv_1.4.9-3squeeze1.debian.tar.gz
python-virtualenv_1.4.9-3squeeze1.dsc
  to main/p/python-virtualenv/python-virtualenv_1.4.9-3squeeze1.dsc
python-virtualenv_1.4.9-3squeeze1_all.deb
  to main/p/python-virtualenv/python-virtualenv_1.4.9-3squeeze1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 652653@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Stefano Rivera <stefanor@debian.org> (supplier of updated python-virtualenv package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 04 May 2012 20:31:24 +0200
Source: python-virtualenv
Binary: python-virtualenv
Architecture: source all
Version: 1.4.9-3squeeze1
Distribution: stable
Urgency: high
Maintainer: Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>
Changed-By: Stefano Rivera <stefanor@debian.org>
Description: 
 python-virtualenv - Python virtual environment creator
Closes: 652653 661272
Changes: 
 python-virtualenv (1.4.9-3squeeze1) stable; urgency=high
 .
   [ Piotr Ożarowski ]
   * Apply upstream's 8be37c509fe5 commit (to use proper temp. dir instead of
     /tmp) (CVE-2011-4617, Closes: #652653)
 .
   [ Stefano Rivera ]
   * Team upload.
   * Backport cleanup_tmpdirs.patch from 1.7.1.2-1.
     Cleanup temporary working directories. (Closes: #661272)
Checksums-Sha1: 
 546ba2a239df59a736988ad4c43481764abb9c74 2154 python-virtualenv_1.4.9-3squeeze1.dsc
 754016e6a2e5300776b8d8a25df101297ebaf64a 22226 python-virtualenv_1.4.9-3squeeze1.debian.tar.gz
 34d6aee33caa10e7dc6a7f8a3fe7120f620283ad 1507028 python-virtualenv_1.4.9-3squeeze1_all.deb
Checksums-Sha256: 
 5540b3aaed0e0f6ea180e2bf4212b878e374e9c9ff75619bdce5c6e9495a17ad 2154 python-virtualenv_1.4.9-3squeeze1.dsc
 2e04fd719f5f33af567b10c1e03e384dabccb9a39223b47b48c7d50958b1b9c5 22226 python-virtualenv_1.4.9-3squeeze1.debian.tar.gz
 3dd45720f5c86e04993cd849988e0caca651e4eb292ceaec91782ce066dc7195 1507028 python-virtualenv_1.4.9-3squeeze1_all.deb
Files: 
 890e641dce1ed40b066def6eefd15d9a 2154 python optional python-virtualenv_1.4.9-3squeeze1.dsc
 721d356b2146aac73a7a4e4d8e83086a 22226 python optional python-virtualenv_1.4.9-3squeeze1.debian.tar.gz
 ce7b373c09b041cb1aeab20d3c21db99 1507028 python optional python-virtualenv_1.4.9-3squeeze1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCgAGBQJPpDftAAoJEACQ/CG1zRrMUYMP/ibc3FC9YaEuh9j+gDkF4OUb
HZvGB5wlDwkCxMB4wmuAf+H6bnxAI0FhkTYZYxDbn/nxhFeZetFwTK3asfXy9L/m
p9shXg1mP3a79P1E761qpj3+cVvQHPH6rNwEF3jqET4zHgwoymueC56IA11GeARM
+qqn5aGMJZEEikvL3NULz0MBVxrsphlIvh5kP1EyK7EmAHrOv1FL/cIIve9QvhRa
rgU1pUak0wcup87Z8VH5PdiSF8bbB+qEfQYC9iSm6WdpJLZF8jOzeOQkFTQPwxmB
Ozdrhs1Z42RxRcPWiAET5uR46nF+gEBWMQGLMQ7/PKxR9v0fsmFeGgZ64fT+006Z
aKwObBLO6+vLSWWOtuefPoIzawm9i+MAMPfYdbzDB5bpHO3UvIcQ1koQlkqmhiFT
aAKhrEXaRnacABrQlFjZkNLv5r3BoqOzG2f0ZYljZ7BbVWyT/lPE3vLBSwAQPPrb
jR+lTJH6s/4nb5mgVK7Q9peABB6y9H7nUTE8d/sG6rY6n5H9GlBVpOKLjB9JqUAZ
MegYkMNI2szv259gbCFBbErgeWeF3oTXpZJKDSIcZ/7Z8tZV84obcLxy7MwDHXWl
KLoab7rlwSruCawKF8dHBgYYN818DHkAKZTXNx3oSvszdgrclSuS6jn7+3ixBuSK
fupQqazaI+8RXF7xhsV5
=5S07
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.