Headline
CVE-2022-34558: Something strange happened with pre-release versions with wmagent · Issue #11188 · dmwm/WMCore
WMAgent v1.3.3rc2 and 1.3.3rc1, reqmgr 2 1.4.1rc5 and 1.4.0rc2, reqmon 1.4.1rc5, and global-workqueue 1.4.1rc5 allows attackers to execute arbitrary code via a crafted dbs-client package.
Impact of the bug
Malicious code execution
Describe the bug
There are a release candidates of wmagent (https://pypi.org/project/wmagent/1.3.3rc2/#history)
In 1.3.3rc2 and 1.3.3rc1 there is a requirements.txt file with this content:
# All dependencies needed to run WMAgent
Cheetah==2.4.0
Markdown==3.0.1
MySQL-python==1.2.5
SQLAlchemy==1.3.3
Sphinx==1.3.5
cx-Oracle==5.2.1
dbs-client==3.7.8
decorator==3.4.2
future==0.16.0
httplib2==0.7.3
psutil==5.6.6
py==1.7.0
pyOpenSSL==18.0.0
pycurl-client==3.7.8
pycurl==7.19.3
python-cjson==1.2.1
pyzmq==17.1.2
retry==0.9.1
stomp.py==4.1.15
rucio-clients==1.19.3
These dependencies will be installed by setup.py:
...
requirements = "requirements.txt"
...
setup(name='wmagent',
version=wmcore_version,
maintainer='CMS DMWM Group',
maintainer_email='[email protected]',
package_dir={'': 'src/python/'},
packages=list_packages(['src/python/Utils',
'src/python/WMCore',
'src/python/WMComponent',
'src/python/WMQuality',
'src/python/PSetTweaks']),
data_files=list_static_files(),
install_requires=parse_requirements(requirements),
url="https://github.com/dmwm/WMCore",
license="Apache License, Version 2.0",
)
dbs-client does not exist in pypi yet:
python3 -m pip install dbs-client
ERROR: Could not find a version that satisfies the requirement dbs-client (from versions: none)
ERROR: No matching distribution found for dbs-client
The problem: the intruder can create malicious dbs-client package on pypi and it will be installed by our package users.
Solution:
Need to delete these potential unsafe packages from pypi.
Related news
WMAgent v1.3.3rc2 and 1.3.3rc1, reqmgr2 1.4.1rc5 and 1.4.0rc2, reqmon 1.4.1rc5, and global-workqueue 1.4.1rc5 allows attackers to execute arbitrary code via a crafted dbs-client package.