classification
Title: uuid._find_mac fails if an executable not in /sbin or /usr/sbin
Type: security Stage: resolved
Components: Library (Lib) Versions: Python 3.2
process
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: serhiy.storchaka Nosy List: Arfrever, georg.brandl, nnorwitz, python-dev, r.david.murray, serhiy.storchaka
Priority: release blocker Keywords: patch

Created on 2013-12-01 15:12 by serhiy.storchaka, last changed 2014-10-01 20:31 by python-dev. This issue is now closed.

Files
File name Uploaded Description Edit
uuid_find_mac_which.patch serhiy.storchaka, 2013-12-01 15:12 review
uuid_find_mac_which_2.patch serhiy.storchaka, 2013-12-15 19:43 Patch for 3.3+ review
uuid_find_mac_which-2.7.patch serhiy.storchaka, 2013-12-15 19:45 Patch for 2.7 review
uuid-3.2.patch serhiy.storchaka, 2014-09-30 16:57 review
Messages (14)
msg204932 - (view) Author: Serhiy Storchaka (serhiy.storchaka) * (Python committer) Date: 2013-12-01 15:12
The uuid._find_mac() function tests that executable file exist before run it. First it tries to run unmodified executable name (i.e. from $PATH) and then from the /sbin or /usr/sbin directories. However test for unmodified executable name is wrong, actually it tests that executable name exists in current directory rather than in $PATH.

As a result uuid._find_mac() always fails on platforms where ifconfig located in $PATH but not in /sbin or /usr/sbin (i.e. Gentoo). If unixdll_getnode() fails too, uuid.getnode() fallbacks to use of _random_getnode(). This is security issue.

test_uuid fails on such platforms too.

Here is a patch for 3.3+. Other Python versions requires different solution. For example this check can be just removed.
msg204933 - (view) Author: Serhiy Storchaka (serhiy.storchaka) * (Python committer) Date: 2013-12-01 15:15
Initially the issue was reported in msg204881.
msg206247 - (view) Author: Serhiy Storchaka (serhiy.storchaka) * (Python committer) Date: 2013-12-15 19:43
This check was added in r50954 (changeset 654c380cf8b9).

Here is better (but larger) patch for 3.3+.
msg206248 - (view) Author: Serhiy Storchaka (serhiy.storchaka) * (Python committer) Date: 2013-12-15 19:45
And here is a patch for 2.7. It uses backported from 3.3 and simplified variant of shutil.which().
msg206492 - (view) Author: Roundup Robot (python-dev) Date: 2013-12-18 02:33
New changeset b0fbaed45956 by R David Murray in branch '3.3':
#19855: uuid.get_node now looks on the PATH for executables on unix.
http://hg.python.org/cpython/rev/b0fbaed45956

New changeset 2e856fcb9084 by R David Murray in branch 'default':
Merge: #19855: uuid.get_node now looks on the PATH for executables on unix.
http://hg.python.org/cpython/rev/2e856fcb9084

New changeset 9f9ae5f7c4ae by R David Murray in branch '2.7':
#19855: uuid.get_node now looks on the PATH for executables on unix.
http://hg.python.org/cpython/rev/9f9ae5f7c4ae
msg206493 - (view) Author: R. David Murray (r.david.murray) * (Python committer) Date: 2013-12-18 02:40
I'm on gentoo, so this was causing test runs to fail for me, giving me sufficient motivation to review the patches and commit them :)

Thanks, Serhiy.
msg208129 - (view) Author: Arfrever Frehtes Taifersar Arahesis (Arfrever) * Date: 2014-01-15 01:23
When LC_ALL is already set in environment, LC_MESSAGES will not override it.
I suggest to restore LC_ALL=C in place of LC_MESSAGES=C.
msg208415 - (view) Author: Roundup Robot (python-dev) Date: 2014-01-18 20:02
New changeset 9fe32328a573 by R David Murray in branch '2.7':
#19855: restore use of LC_ALL, not LC_MESSAGES
http://hg.python.org/cpython/rev/9fe32328a573

New changeset 706354c4d8f5 by R David Murray in branch '3.3':
#19855: restore use of LC_ALL, not LC_MESSAGES
http://hg.python.org/cpython/rev/706354c4d8f5

New changeset 418212180bf1 by R David Murray in branch 'default':
Merge #19855: restore use of LC_ALL, not LC_MESSAGES
http://hg.python.org/cpython/rev/418212180bf1
msg227945 - (view) Author: Georg Brandl (georg.brandl) * (Python committer) Date: 2014-09-30 15:17
Serhiy, would you make a patch for 3.2 too?
msg227951 - (view) Author: Serhiy Storchaka (serhiy.storchaka) * (Python committer) Date: 2014-09-30 16:57
There was other bug fixes not applied to 3.2. Here is cumulated patch for issue16102, issue18784, issue11508, and issue19855. They have same severity as this issue. There is also issue22131 (not applied to 3.3) and issue9678 (in progress).
msg227957 - (view) Author: Georg Brandl (georg.brandl) * (Python committer) Date: 2014-09-30 17:34
Thanks!
msg227960 - (view) Author: Roundup Robot (python-dev) Date: 2014-09-30 17:34
New changeset f9cd915410d2 by Georg Brandl in branch '3.2':
Issue #19855: uuid.getnode() on Unix now looks on the PATH for the
https://hg.python.org/cpython/rev/f9cd915410d2
msg228113 - (view) Author: Georg Brandl (georg.brandl) * (Python committer) Date: 2014-10-01 20:28
I see test failures on Windows:

http://buildbot.python.org/all/builders/AMD64%20Windows7%20SP1%20custom/builds/62/steps/test/logs/stdio

http://buildbot.python.org/all/builders/x86%20Windows7%20custom/builds/52/steps/test/logs/stdio

Do the tests need changing too?
msg228114 - (view) Author: Roundup Robot (python-dev) Date: 2014-10-01 20:31
New changeset 7ce56727edc7 by Georg Brandl in branch '3.2':
ref #19855: skip uuid test_find_mac on non-Posix as in later branches
https://hg.python.org/cpython/rev/7ce56727edc7
History
Date User Action Args
2014-10-01 20:31:58python-devsetmessages: + msg228114
2014-10-01 20:31:56georg.brandlsetstatus: open -> closed
2014-10-01 20:28:18georg.brandlsetpriority: normal -> release blocker
status: closed -> open
messages: + msg228113

versions: + Python 3.2, - Python 2.7, Python 3.3, Python 3.4
2014-09-30 17:34:51python-devsetmessages: + msg227960
2014-09-30 17:34:49georg.brandlsetmessages: + msg227957
2014-09-30 16:57:23serhiy.storchakasetfiles: + uuid-3.2.patch

messages: + msg227951
2014-09-30 15:17:20georg.brandlsetnosy: + georg.brandl
messages: + msg227945
2014-01-18 20:02:57python-devsetmessages: + msg208415
2014-01-15 01:23:16Arfreversetmessages: + msg208129
2013-12-18 02:40:44r.david.murraysetstatus: open -> closed

versions: - Python 3.2
nosy: + r.david.murray

messages: + msg206493
resolution: fixed
stage: patch review -> resolved
2013-12-18 02:33:10python-devsetnosy: + python-dev
messages: + msg206492
2013-12-15 19:45:27serhiy.storchakasetfiles: + uuid_find_mac_which-2.7.patch

messages: + msg206248
2013-12-15 19:43:29serhiy.storchakasetfiles: + uuid_find_mac_which_2.patch

nosy: + nnorwitz
messages: + msg206247

assignee: serhiy.storchaka
2013-12-01 15:15:29serhiy.storchakasetmessages: + msg204933
2013-12-01 15:12:48serhiy.storchakacreate