Python os._execvpe function temporary file symlink attack

python-execvpe-tmpfile-symlink (10009)

Medium Risk

Description:

Python could allow a local attacker to launch a symlink attack. The os._execvpe function in the os.py utility creates temporary files with predictable file names. A local attacker could use this vulnerability to create a symbolic link from a temporary file to any file on the system to cause the file to be overwritten, and possibly execute code on the system.

Platforms Affected:

• Conectiva, Linux 6.0
• Conectiva, Linux 7.0
• Conectiva, Linux 8.0
• Debian, Debian Linux 2.2
• Debian, Debian Linux 3.0
• Gentoo, Linux
• MandrakeSoft, Mandrake Linux 7.2
• MandrakeSoft, Mandrake Linux 8.0
• MandrakeSoft, Mandrake Linux 8.0 PPC
• MandrakeSoft, Mandrake Linux 8.1 IA64
• MandrakeSoft, Mandrake Linux 8.1
• MandrakeSoft, Mandrake Linux 8.2 PPC
• MandrakeSoft, Mandrake Linux 8.2
• MandrakeSoft, Mandrake Linux 9.0
• MandrakeSoft, Mandrake Single Network Firewall 7.2
• OpenPKG, OpenPKG 1.1
• OpenPKG, OpenPKG 1.2
• OpenPKG, OpenPKG CURRENT
• Python Software Foundation, Python 1.5.2 - 2.2.1
• RedHat, Enterprise Linux 2.1 AS
• RedHat, Linux 6.2
• RedHat, Linux 7
• RedHat, Linux 7.1
• RedHat, Linux 7.1 for iSeries
• RedHat, Linux 7.1 for pSeries
• RedHat, Linux 7.2
• RedHat, Linux 7.3
• RedHat, Linux Advanced Workstation 2.1 Itanium
• SCO, Caldera OpenLinux Server 3.1
• SCO, Caldera OpenLinux Server 3.1.1
• SCO, Caldera OpenLinux Workstation 3.1
• SCO, Caldera OpenLinux Workstation 3.1.1
• Sun, Linux 5.0
• Twibright Labs, Links 0.96

Remedy:

For Debian GNU/Linux 2.2 (potato):
Upgrade to the latest python package (1.5.2-10potato12 or later), as listed in DSA-159-1. See References.

For Debian GNU/Linux 3.0 (woody):
Upgrade to the latest python package (1.5_1.5.2-23.1 or later), as listed in DSA-159-1. See References.

For Sun Linux 5.0:
Apply the appropriate patch for your system. Refer to Sun Alert ID: 56122 for more information. See References.

— OR —

As a workaround, follow the instructions as listed in Sun Alert ID: 56122.

For Conectiva Linux:
Upgrade to the latest python package, as listed below. Refer to Conectiva Linux Security Announcement CLSA-2002:527 for more information. See References.

Conectiva Linux 6.0: 1.5.2-14U60_2cl or later
Conectiva Linux 7.0: 2.1-15U70_1cl or later
Conectiva Linux 8.0: 2.2-10U80_1cl or later

For Gentoo Linux:
Upgrade to the latest dev-lang/python-2.2.1-r4 package, as listed in Gentoo Linux Security Announcement 2002-10-03 14:45 UTC. See References.

For Caldera OpenLinux 3.1 and 3.1.1 (Workstation and Server):
Upgrade to the latest python package (1.5.2-23 or later), as listed in Caldera International, Inc. Security Advisory CSSA-2002-045.0. See References.

For Mandrake Linux:
Upgrade to the latest python, as listed below. Refer to MandrakeSoft Security Advisory MDKSA-2002:082 for more information. See References.

Mandrake Linux 7.2 and Single Network Firewall 7.2: 1.5.2-12.1mdk or later
Mandrake Linux 8.0: 2.0-9.1mdk or later
Mandrake Linux 8.1 and 8.2: 2.2-9.1mdk or later
Mandrake Linux 9.0: 2.2.1-14.2mdk or later

For Red Hat Linux:
Upgrade to the latest python package, as listed below. Refer to RHSA-2002:202-25 for more information. See References.

Red Hat 6.2: python-1.5.2-42.62 or later
Red Hat 7.0 and 7.1: python-1.5.2-42.71 or later
Red Hat 7.2: python-1.5.2-42.72 or later
Red Hat 7.3: python-1.5.2-42.73 or later

For OpenPKG:
Upgrade to the latest python package, as listed below. Refer to OpenPKG Security Advisory OpenPKG-SA-2003.006 for more information. See References.

OpenPKG CURRENT: 2.2.2-20021015 or later
OpenPKG 1.1: 2.2.1-1.1.1 or later

For other distributions:
Contact your vendor for upgrade or patch information.

Consequences:

File Manipulation

References:

• Caldera International, Inc. Security Advisory CSSA-2002-045.0, Linux: python insecure temporary files in os._execvpe at http://www.linuxsecurity.com/content/view/104334/98/.
• Conectiva Linux Announcement CLSA-2002:527, python at http://distro.conectiva.com/atualizacoes/?id=a&anuncio=000527.
• Gentoo Linux Security Announcement 2002-10-03 14:45 UTC, os.execvpe() vulnerability at http://www.linuxsecurity.com/content/view/104176/109/.
• Python Web site, Download Python Software at http://www.python.org/download/.
• Python-Dev Mailing List, Thu, 1 Aug 2002 09:19:46 -0700, Weird error handling in os._execvpe at http://mail.python.org/pipermail/python-dev/2002-August/027223.html.
• SourceForge.net, Detail:590294 os._execvpe security fix at http://sourceforge.net/tracker/index.php?func=detail&aid=590294&group_id=5470&atid=305470.
• SourceForge.net, Detail:601077 bug in new execvpe at http://sourceforge.net/tracker/index.php?func=detail&aid=601077&group_id=5470&atid=105470.
• Sun Alert ID: 56122, Python Creates Temporary Files Insecurely at http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F56122&zone_32=category%3Asecurity.
• BID-5581: Python os.py Predictable Temporary Filename Command Execution Vulnerability
• CVE-2002-1119: os._execvpe from os.py in Python 2.2.1 and earlier creates temporary files with predictable names, which could allow local users to execute arbitrary code via a symlink attack.
• DSA-159: python -- insecure temporary files
• MDKSA-2002:082: Updated python packages fix local arbitrary code execution vulnerability
• MDKSA-2002:082-1: Updated python packages fix local arbitrary code execution vulnerability
• MDKSA-2003:024: Updated packages fix multiple vulnerabilities
• OpenPKG-SA-2003.006: Python
• RHSA-2002-202: Updated python packages fix predictable temporary file
• RHSA-2003-048: python security update

Reported:

Aug 28, 2002

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

Copyright (c) 1994-2008 Internet Security Systems, Inc. All rights reserved worldwide.

For corrections or additions please email xforce@iss.net

Return to the main page