Headline
CVE-2019-7653: #921751 - python-rdflib-tools: CVE-2019-7653: Code injection from current working directory
The Debian python-rdflib-tools 4.2.2-1 package for RDFLib 4.2.2 has CLI tools that can load Python modules from the current working directory, allowing code injection, because “python -m” looks in this directory, as demonstrated by rdf2dot. This issue is specific to use of the debian/scripts directory.
Reported by: Gabriel Corona [email protected]
Date: Fri, 8 Feb 2019 20:51:02 UTC
Severity: normal
Tags: security
Found in versions rdflib/4.2.1-2, rdflib/4.2.2-1
Fixed in version rdflib/4.2.2-2
Done: [email protected] (Christian M. Amsüss)
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to [email protected], [email protected], Christian M. Amsüss <[email protected]>:
Bug#921751; Package python-rdflib-tools. (Fri, 08 Feb 2019 20:51:04 GMT) (full text, mbox, link).
Acknowledgement sent to Gabriel Corona <[email protected]>:
New Bug report received and forwarded. Copy sent to [email protected], Christian M. Amsüss <[email protected]>. (Fri, 08 Feb 2019 20:51:04 GMT) (full text, mbox, link).
Message #5 received at [email protected] (full text, mbox, reply):
Package: python-rdflib-tools Version: 4.2.2-1 Severity: normal Tags: security
The CLI tools in python-rdflib-tools can from load python modules found in the current directory. This happens because “python -m” appends the current directory in the python path.
$ echo 'print("Something")' > cgi.py
$ rdf2dot
INFO:rdflib:RDFLib Version: 4.2.2
Something
Reading from stdin as None...
The local cgi.py file is loaded instead of the system one.
There are probably other instances of this in the Debian archive. Constructs such as:
python -m “$some_module” python -c “$some_code” $some_command | python
can lead to code injection from current working directory
– System Information: Debian Release: buster/sid APT prefers testing APT policy: (500, ‘testing’), (500, ‘stable’), (90, ‘unstable’), (1, ‘experimental’) Architecture: amd64 (x86_64) Foreign Architectures: i386
Kernel: Linux 4.19.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8), LANGUAGE=fr_FR.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
Versions of packages python-rdflib-tools depends on: ii python 2.7.15-4 ii python-rdflib 4.2.2-1
python-rdflib-tools recommends no packages.
python-rdflib-tools suggests no packages.
– no debconf information
Added tag(s) upstream. Request was from Salvatore Bonaccorso <[email protected]> to [email protected]. (Fri, 08 Feb 2019 21:33:06 GMT) (full text, mbox, link).
Removed tag(s) upstream. Request was from Salvatore Bonaccorso <[email protected]> to [email protected]. (Fri, 08 Feb 2019 21:45:10 GMT) (full text, mbox, link).
Information forwarded to [email protected], Christian M. Amsüss <[email protected]>:
Bug#921751; Package python-rdflib-tools. (Sat, 09 Feb 2019 04:15:03 GMT) (full text, mbox, link).
Acknowledgement sent to Salvatore Bonaccorso <[email protected]>:
Extra info received and forwarded to list. Copy sent to Christian M. Amsüss <[email protected]>. (Sat, 09 Feb 2019 04:15:03 GMT) (full text, mbox, link).
Message #14 received at [email protected] (full text, mbox, reply):
Control: retitle -1 python-rdflib-tools: CVE-2019-7653: Code injection from current working directory
Hi Gabriel!
On Fri, Feb 08, 2019 at 09:49:07PM +0100, Gabriel Corona wrote:
Package: python-rdflib-tools Version: 4.2.2-1 Severity: normal Tags: security
The CLI tools in python-rdflib-tools can from load python modules found in the current directory. This happens because “python -m” appends the current directory in the python path.
$ echo 'print("Something")' > cgi.py $ rdf2dot INFO:rdflib:RDFLib Version: 4.2.2 Something Reading from stdin as None...The local cgi.py file is loaded instead of the system one.
There are probably other instances of this in the Debian archive. Constructs such as:
python -m “$some_module” python -c “$some_code” $some_command | python
can lead to code injection from current working directory
MITRE has assigned CVE-2019-7653 for this issue.
For those following the bug, this likely does not affect the upstream project itself and is Debian specifc, as the Debian packaging AFAICS replaces the respective scripts/tools by wrappers invoking python -m as described by Gabriel (please correct me if I’m wrong).
Regards, Salvatore
Changed Bug title to ‘python-rdflib-tools: CVE-2019-7653: Code injection from current working directory’ from 'python-rdflib-tools: Code injection from current working directory’. Request was from Salvatore Bonaccorso <[email protected]> to [email protected]. (Sat, 09 Feb 2019 04:15:03 GMT) (full text, mbox, link).
Information forwarded to [email protected], Christian M. Amsüss <[email protected]>:
Bug#921751; Package python-rdflib-tools. (Thu, 14 Feb 2019 16:33:05 GMT) (full text, mbox, link).
Acknowledgement sent to chrysn <[email protected]>:
Extra info received and forwarded to list. Copy sent to Christian M. Amsüss <[email protected]>. (Thu, 14 Feb 2019 16:33:05 GMT) (full text, mbox, link).
Message #21 received at [email protected] (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Sat, Feb 09, 2019 at 05:13:07AM +0100, Salvatore Bonaccorso wrote:
For those following the bug, this likely does not affect the upstream project itself and is Debian specifc, as the Debian packaging AFAICS replaces the respective scripts/tools by wrappers invoking python -m as described by Gabriel (please correct me if I’m wrong).
I’ve updated the package’s source to avoid the issue by using the wrappers that setup.py/easy_install provides rather than making our own in Debian.
I can’t directly push to the source right now (but have a PR pending at [1]) and can’t upload (as I don’t have DMUA on that package).
Andreas or Ondřej, could you do pull that in and do a team upload on this? (I can prepare a full DM upload to be sponsered, but it’s my impression that team uploads are the easier way to go about this now).
Best regards Christian
[1]: https://salsa.debian.org/debian/rdflib/merge_requests/1
[signature.asc (application/pgp-signature, inline)]
Information forwarded to [email protected], Christian M. Amsüss <[email protected]>:
Bug#921751; Package python-rdflib-tools. (Fri, 15 Feb 2019 08:15:03 GMT) (full text, mbox, link).
Acknowledgement sent to Andreas Tille <[email protected]>:
Extra info received and forwarded to list. Copy sent to Christian M. Amsüss <[email protected]>. (Fri, 15 Feb 2019 08:15:04 GMT) (full text, mbox, link).
Message #26 received at [email protected] (full text, mbox, reply):
On Thu, Feb 14, 2019 at 05:24:48PM +0100, chrysn wrote:
I can’t directly push to the source right now (but have a PR pending at [1]) and can’t upload (as I don’t have DMUA on that package).
Hmmm, I can not merge either. What about moving that repository to Debian Python Modules team?
Andreas or Ondřej, could you do pull that in and do a team upload on this? (I can prepare a full DM upload to be sponsered, but it’s my impression that team uploads are the easier way to go about this now).
I prefer to sponsor right from the Git repository but a repository where neither the Maintainer nor its sponsor can write to is just insane and DPMT seems the natural team that package belongs to.
Thanks for your work on this package anyway
Andreas.
[1]: https://salsa.debian.org/debian/rdflib/merge_requests/1
– http://fam-tille.de
Information forwarded to [email protected], Christian M. Amsüss <[email protected]>:
Bug#921751; Package python-rdflib-tools. (Fri, 15 Feb 2019 08:30:06 GMT) (full text, mbox, link).
Acknowledgement sent to chrysn <[email protected]>:
Extra info received and forwarded to list. Copy sent to Christian M. Amsüss <[email protected]>. (Fri, 15 Feb 2019 08:30:06 GMT) (full text, mbox, link).
Message #31 received at [email protected] (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Fri, Feb 15, 2019 at 09:11:11AM +0100, Andreas Tille wrote:
On Thu, Feb 14, 2019 at 05:24:48PM +0100, chrysn wrote:
I can’t directly push to the source right now (but have a PR pending at [1]) and can’t upload (as I don’t have DMUA on that package).
Hmmm, I can not merge either. What about moving that repository to Debian Python Modules team?
That’s odd given you created the repo – but yes, I’m fine with it being in DPMT as well, and will request it transferred (that’ll only work via the alioth admins).
I used to be member of the DPMT group back on Alioth[2], can you add me on salsa? Then I can make the package ready for sponsor-upload-from-git once moved.
Thanks Christian
[2]: https://lists.debian.org/debian-python/2016/11/msg00048.html
[signature.asc (application/pgp-signature, inline)]
Information forwarded to [email protected], Christian M. Amsüss <[email protected]>:
Bug#921751; Package python-rdflib-tools. (Fri, 15 Feb 2019 09:57:05 GMT) (full text, mbox, link).
Acknowledgement sent to Andreas Tille <[email protected]>:
Extra info received and forwarded to list. Copy sent to Christian M. Amsüss <[email protected]>. (Fri, 15 Feb 2019 09:57:05 GMT) (full text, mbox, link).
Message #36 received at [email protected] (full text, mbox, reply):
Hi Christian,
On Fri, Feb 15, 2019 at 09:28:08AM +0100, chrysn wrote:
On Fri, Feb 15, 2019 at 09:11:11AM +0100, Andreas Tille wrote:
On Thu, Feb 14, 2019 at 05:24:48PM +0100, chrysn wrote:
I can’t directly push to the source right now (but have a PR pending at [1]) and can’t upload (as I don’t have DMUA on that package).
Hmmm, I can not merge either. What about moving that repository to Debian Python Modules team?
That’s odd given you created the repo – but yes, I’m fine with it being in DPMT as well, and will request it transferred (that’ll only work via the alioth admins).
Yes, that’s really odd. I tried via Salsa web interface which does not enable the “Merge” button. When trying to do it manually the last step fails:
$ git push origin debian GitLab: You are not allowed to push code to this project. fatal: Could not read from remote repository.
Please make sure you have the correct access rights and the repository exists.
What is also strange: If I go to the original location on Salsa web interface I see a hint:
Project ‘debian/rdflib’ was moved to 'python-team/rdflib’. Please update any links and bookmarks that may still have the old path.
So it was somehow moved but definitely to a wrong location (that should be rather python-team/modules/rdflib).
I used to be member of the DPMT group back on Alioth[2], can you add me on salsa? Then I can make the package ready for sponsor-upload-from-git once moved.
Sorry, I can’t for DPMT but I think Ondřej (re-added to CC) can.
Kind regards
Andreas.
[2]: https://lists.debian.org/debian-python/2016/11/msg00048.html
– http://fam-tille.de
Information forwarded to [email protected], Christian M. Amsüss <[email protected]>:
Bug#921751; Package python-rdflib-tools. (Fri, 15 Feb 2019 15:09:03 GMT) (full text, mbox, link).
Acknowledgement sent to chrysn <[email protected]>:
Extra info received and forwarded to list. Copy sent to Christian M. Amsüss <[email protected]>. (Fri, 15 Feb 2019 15:09:03 GMT) (full text, mbox, link).
Message #41 received at [email protected] (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
> So it was somehow moved but definitely to a wrong location (that should
be rather python-team/modules/rdflib).
yes, that was a mistake when moving the module and is now fixed.
I used to be member of the DPMT group back on Alioth[2], can you add me on salsa? Then I can make the package ready for sponsor-upload-from-git once moved.
I’ve incorporated the changes from the move and an update to standards-version, and set the changelog to indicate release readiness. Would you sponsor the latest version (81346975) of [1] to close this issue?
Thanks Christian
[1]: https://salsa.debian.org/python-team/modules/rdflib
[signature.asc (application/pgp-signature, inline)]
Information forwarded to [email protected], Christian M. Amsüss <[email protected]>:
Bug#921751; Package python-rdflib-tools. (Fri, 15 Feb 2019 19:27:06 GMT) (full text, mbox, link).
Acknowledgement sent to Andreas Tille <[email protected]>:
Extra info received and forwarded to list. Copy sent to Christian M. Amsüss <[email protected]>. (Fri, 15 Feb 2019 19:27:06 GMT) (full text, mbox, link).
Message #46 received at [email protected] (full text, mbox, reply):
On Fri, Feb 15, 2019 at 04:04:31PM +0100, chrysn wrote:
I used to be member of the DPMT group back on Alioth[2], can you add me on salsa? Then I can make the package ready for sponsor-upload-from-git once moved.
I’ve incorporated the changes from the move and an update to standards-version, and set the changelog to indicate release readiness. Would you sponsor the latest version (81346975) of [1] to close this issue?
I have uploaded with an additional change to set DPMT as Maintainer and you as Uploader since this is policy if you are maintaining in this repository tree.
Thanks for working on this
Andreas.
[1]: https://salsa.debian.org/python-team/modules/rdflib
– http://fam-tille.de
Reply sent to [email protected] (Christian M. Amsüss):
You have taken responsibility. (Fri, 15 Feb 2019 19:36:15 GMT) (full text, mbox, link).
Notification sent to Gabriel Corona <[email protected]>:
Bug acknowledged by developer. (Fri, 15 Feb 2019 19:36:15 GMT) (full text, mbox, link).
Message #51 received at [email protected] (full text, mbox, reply):
Source: rdflib Source-Version: 4.2.2-2
We believe that the bug you reported is fixed in the latest version of rdflib, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is attached.
Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software pp. Christian M. Amsüss [email protected] (supplier of updated rdflib package)
(This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
Format: 1.8 Date: Fri, 15 Feb 2019 15:50:18 +0100 Source: rdflib Architecture: source Version: 4.2.2-2 Distribution: unstable Urgency: medium Maintainer: Debian Python Modules Team [email protected] Changed-By: Christian M. Amsüss [email protected] Closes: 917913 921751 Changes: rdflib (4.2.2-2) unstable; urgency=medium . [ Ondřej Nový ] * d/control: Remove ancient X-Python(3)-Version fields * d/changelog: Remove trailing whitespaces . [ Christian Amsüss ] * tools: - Use easy_install provided scripts (CVE-2019-7653, closes: #921751) - Use Python 3 * d/control: - Update Standards-Version to 4.3.0 (no further changes) - Remove retired Olivier Berger from uploaders (closes: #917913) - Update salsa location * d/patches: Acknowledge that pyparsinglatest.patch is not required any more * Add bsddb3 and rdflib-jsonld to test dependencies - Disable broken tests for rdflib-jsonld at build time Checksums-Sha1: 50812e90e3bc74262b2771e4f36f4cced886cfb1 3084 rdflib_4.2.2-2.dsc b731f212c620c299add8eb14f70872659798c9ee 28760 rdflib_4.2.2-2.debian.tar.xz f79d0d8a9f129e493da141acf23328c4f78d71ec 8803 rdflib_4.2.2-2_amd64.buildinfo Checksums-Sha256: 9840ad126cc4387ba97051f2fa1713b301a8e57578aff59e30df52e524563f6f 3084 rdflib_4.2.2-2.dsc dfc2f37a9619976023361a64c717b62d920df956a7c1bc8eeb7ff94634f60c97 28760 rdflib_4.2.2-2.debian.tar.xz 3d54308530b6a0dd42deb84311dbf1ff49ad8fe8dd426b0dfc0604735e6f605b 8803 rdflib_4.2.2-2_amd64.buildinfo Files: c6291b837c791f34a89446395cb38d95 3084 python optional rdflib_4.2.2-2.dsc e1f291c8a981a71dbfd7b1a83c45d86e 28760 python optional rdflib_4.2.2-2.debian.tar.xz 67a4f90f45acce40dce2fb974f1dbbee 8803 python optional rdflib_4.2.2-2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJCBAEBCgAsFiEE8fAHMgoDVUHwpmPKV4oElNHGRtEFAlxnDfEOHHRpbGxlYUBy a2kuZGUACgkQV4oElNHGRtE8BQ/8Cu+1vYnVZGDPEcI8OES+Og11HzkGdGhqJLnY VopDA17D6wapUohnkBfqQt4X7ximoqEtRF6moZKcnruOa56xwCI7zIzTGTy6TV4N wVRnl56DWuOENFaGKNsR4Ikfl94Ij7eoRwb82cqmpsJbMiKY719sWkJqCuOjOYs+ +e47QryFcqXtvJIoCVOfptNR3RO4IPx21h2lqgIn1QH8k6mYQYxzx0aArPUAWZLM N7+nOEatsol6ah3VV/7pGX4sIRn+UCZnFeMzlLbiJQnr4n5f82bvy2VkdReMeTGh Ti9Um47Q+R76iGx0idAyYzPum8xSBbi9jcucp2KvZ+i90l3SEc9uJpYh43f08Prw wxVKjGMzmFoIwwTLDx5pi8cMYdfwXQKW3wuj6AIrss3HQEcUOwykL+TlutvqtLLf cEPB2VVoYDivWukzZj1iPI7Ppj42jcDyxK7LJ8FO2BEsbM1SDUP5u1hhXN/RN0+9 aHQ0pCMJmND4BEeHfUCWnXvN8PYmnWD9+rmB6CxTLhUwVzvlo0lsJLCLyLvxIS9Z eqalVud3E52LVh2nOlIx2O6iJKCe5+ebqkhL/pnTgmuHdYkXyGBqmwjGdbkS1EYU I0jmkXzSU+b29BpGc/Y/xrK59SnJU1taZzvPziaLTXE6uctun1jxyqGmZHqU5BPc ADEPH6Q= =q79+ -----END PGP SIGNATURE-----
Marked as found in versions rdflib/4.2.1-2. Request was from Salvatore Bonaccorso <[email protected]> to [email protected]. (Fri, 15 Feb 2019 20:09:03 GMT) (full text, mbox, link).
Bug archived. Request was from Debbugs Internal Request <[email protected]> to [email protected]. (Sun, 31 Mar 2019 07:26:54 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <[email protected]>. Last modified: Tue Dec 28 16:30:16 2021; Machine Name: buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.