Re: rdflib / CVE-2019-7653

To: Chris Lamb <lamby@debian.org>, debian-lts@lists.debian.org
Subject: Re: rdflib / CVE-2019-7653
From: Brian May <bam@debian.org>
Date: Wed, 13 Mar 2019 17:43:01 +1100
Message-id: <[🔎] 87pnqvgtqi.fsf@silverfish.pri>
In-reply-to: <[🔎] 818d0167-e097-4a90-9a73-30724af78699@www.fastmail.com>
References: <[🔎] 874l8e2xom.fsf@silverfish.pri> <[🔎] 0d6f5ae8-a2cd-4740-95cd-ddb0242aa3cd@www.fastmail.com> <[🔎] 87y35q1fru.fsf@silverfish.pri> <[🔎] 818d0167-e097-4a90-9a73-30724af78699@www.fastmail.com>

Chris Lamb <lamby@debian.org> writes:

> I also still don't grok the move to Python 3 (nor the changes to
> debian/gbp.conf as it happens). It seems to go against the
> general theme of being as conservative as possible in stable/
> securoty updates. Again, likely one for recording for posterity in
> debian/changelog rather than on this quasi-ephemeral list.

I made a change to use Python2, but this means that the 2 recommends
packages are now mandatory (python-sparqlwrapper and python-html5lib).

(jessie-amd64-default)root@silverfish:/tmp/brian/tmp6vjim7fm/build/amd64# rdf2dot
Traceback (most recent call last):
  File "/usr/bin/rdf2dot", line 5, in <module>
    from pkg_resources import load_entry_point
  File "/usr/lib/python2.7/dist-packages/pkg_resources.py", line 2876, in <module>
    working_set = WorkingSet._build_master()
  File "/usr/lib/python2.7/dist-packages/pkg_resources.py", line 449, in _build_master
    ws.require(__requires__)
  File "/usr/lib/python2.7/dist-packages/pkg_resources.py", line 745, in require
    needed = self.resolve(parse_requirements(requirements))
  File "/usr/lib/python2.7/dist-packages/pkg_resources.py", line 639, in resolve
    raise DistributionNotFound(req)
pkg_resources.DistributionNotFound: html5lib

I can understand why this happens with Python2. I am just puzzled why
this doesn't happen with Python3.

Oh, wait, I see. html5lib and SPARQLWrapper are only added in
install_requires in setup.py for Python2. For Python3 they are not
added.

To fix this I could:

* Use Python3 tools instead.
* Change Recommends to Depends.
* Patch upstream not to require these libraries for Python2 (assuming
  that works...)

Any thoughts?

Latest patch attached.
-- 
Brian May <bam@debian.org>

diff -Nru rdflib-4.1.2/debian/changelog rdflib-4.1.2/debian/changelog
--- rdflib-4.1.2/debian/changelog	2014-05-25 06:47:03.000000000 +1000
+++ rdflib-4.1.2/debian/changelog	2019-03-08 07:38:55.000000000 +1100
@@ -1,3 +1,13 @@
+rdflib (4.1.2-3+deb8u1) UNRELEASED; urgency=high
+
+  * Non-maintainer upload by the LTS Team.
+  * CVE-2019-7653:  The Debian package had a custom wrapper that can load
+    Python modules from the current working directory, allowing code injection.
+    This is because "python -m" looks in this directory. This version uses the
+    easy_install provided scripts instead of our our custom scripts.
+
+ -- Brian May <bam@debian.org>  Fri, 08 Mar 2019 07:38:55 +1100
+
 rdflib (4.1.2-3) unstable; urgency=low
 
   * Upload to unstable almost identical to 4.1.2-2.
diff -Nru rdflib-4.1.2/debian/control rdflib-4.1.2/debian/control
--- rdflib-4.1.2/debian/control	2014-05-13 14:46:55.000000000 +1000
+++ rdflib-4.1.2/debian/control	2019-03-08 07:38:55.000000000 +1100
@@ -61,7 +61,7 @@
 
 Package: python-rdflib-tools
 Architecture: any
-Depends: ${shlibs:Depends}, ${misc:Depends}, python, python-rdflib (>= 4.0.1-1)
+Depends: ${shlibs:Depends}, ${misc:Depends}, python, python-rdflib (>= 4.0.1-1), python-pkg-resources
 Replaces: python-rdflib (<< 4.0.1-1)
 Breaks: python-rdflib (<< 4.0.1-1)
 Description: Python library containing an RDF triple store and RDF parsers/serializers
diff -Nru rdflib-4.1.2/debian/gbp.conf rdflib-4.1.2/debian/gbp.conf
--- rdflib-4.1.2/debian/gbp.conf	2014-05-13 14:46:55.000000000 +1000
+++ rdflib-4.1.2/debian/gbp.conf	2019-03-08 07:38:55.000000000 +1100
@@ -1,3 +1,3 @@
-[git-buildpackage]
-upstream-tag = %(version)s
-debian-branch = debian
+[buildpackage]
+upstream-tag = upstream/%(version)s
+debian-branch = jessie
diff -Nru rdflib-4.1.2/debian/python-rdflib-tools.install rdflib-4.1.2/debian/python-rdflib-tools.install
--- rdflib-4.1.2/debian/python-rdflib-tools.install	2014-05-13 14:46:56.000000000 +1000
+++ rdflib-4.1.2/debian/python-rdflib-tools.install	1970-01-01 10:00:00.000000000 +1000
@@ -1,5 +0,0 @@
-debian/scripts/rdfpipe /usr/bin/
-debian/scripts/csv2rdf /usr/bin/
-debian/scripts/rdf2dot /usr/bin/
-debian/scripts/rdfs2dot /usr/bin/
-debian/scripts/rdfgraphisomorphism /usr/bin/
diff -Nru rdflib-4.1.2/debian/rules rdflib-4.1.2/debian/rules
--- rdflib-4.1.2/debian/rules	2014-05-13 14:46:56.000000000 +1000
+++ rdflib-4.1.2/debian/rules	2019-03-08 07:38:55.000000000 +1100
@@ -11,14 +11,10 @@
 
 export PYBUILD_NAME=rdflib
 
-# For the time being, don't install the /usr/bin scripts for Python2 (hack)
-# Instead, we'll patch the scripts to add a shebang and put links into /usr/bin
-export PYBUILD_INSTALL_ARGS_python2=--install-scripts=/tmp
-export PYBUILD_AFTER_INSTALL_python2=rm -fr '{destdir}/tmp/'
-# For the time being, don't install the /usr/bin scripts for Python3 (hack)
-export PYBUILD_INSTALL_ARGS_python3=--install-scripts=/tmp
-export PYBUILD_AFTER_INSTALL_python3=rm -fr '{destdir}/tmp/'
-
+# Install (only) those into the -tools package
+export PYBUILD_AFTER_INSTALL_python2=mv '{destdir}/usr/bin' 'debian/python-rdflib-tools/usr/'
+# The Python 3 part is only available as a library, not as tools
+export PYBUILD_AFTER_INSTALL_python3=rm -rf '{destdir}/usr/bin'
 
 %:
 	dh $@ --with python2,python3,sphinxdoc --buildsystem=pybuild
diff -Nru rdflib-4.1.2/debian/scripts/csv2rdf rdflib-4.1.2/debian/scripts/csv2rdf
--- rdflib-4.1.2/debian/scripts/csv2rdf	2014-05-13 14:46:56.000000000 +1000
+++ rdflib-4.1.2/debian/scripts/csv2rdf	1970-01-01 10:00:00.000000000 +1000
@@ -1,3 +0,0 @@
-#!/bin/sh
-
-exec /usr/bin/python -m rdflib.tools.csv2rdf $*
diff -Nru rdflib-4.1.2/debian/scripts/rdf2dot rdflib-4.1.2/debian/scripts/rdf2dot
--- rdflib-4.1.2/debian/scripts/rdf2dot	2014-05-13 14:46:56.000000000 +1000
+++ rdflib-4.1.2/debian/scripts/rdf2dot	1970-01-01 10:00:00.000000000 +1000
@@ -1,3 +0,0 @@
-#!/bin/sh
-
-exec /usr/bin/python -m rdflib.tools.rdf2dot $*
diff -Nru rdflib-4.1.2/debian/scripts/rdfgraphisomorphism rdflib-4.1.2/debian/scripts/rdfgraphisomorphism
--- rdflib-4.1.2/debian/scripts/rdfgraphisomorphism	2014-05-13 14:46:56.000000000 +1000
+++ rdflib-4.1.2/debian/scripts/rdfgraphisomorphism	1970-01-01 10:00:00.000000000 +1000
@@ -1,3 +0,0 @@
-#!/bin/sh
-
-exec /usr/bin/python -m rdflib.tools.graphisomorphism $*
diff -Nru rdflib-4.1.2/debian/scripts/rdfpipe rdflib-4.1.2/debian/scripts/rdfpipe
--- rdflib-4.1.2/debian/scripts/rdfpipe	2014-05-13 14:46:56.000000000 +1000
+++ rdflib-4.1.2/debian/scripts/rdfpipe	1970-01-01 10:00:00.000000000 +1000
@@ -1,3 +0,0 @@
-#!/bin/sh
-
-exec /usr/bin/python -m rdflib.tools.rdfpipe $*
diff -Nru rdflib-4.1.2/debian/scripts/rdfs2dot rdflib-4.1.2/debian/scripts/rdfs2dot
--- rdflib-4.1.2/debian/scripts/rdfs2dot	2014-05-13 14:46:56.000000000 +1000
+++ rdflib-4.1.2/debian/scripts/rdfs2dot	1970-01-01 10:00:00.000000000 +1000
@@ -1,3 +0,0 @@
-#!/bin/sh
-
-exec /usr/bin/python -m rdflib.tools.rdfs2dot $*

Reply to:

Follow-Ups:
- Re: rdflib / CVE-2019-7653
  - From: "Chris Lamb" <lamby@debian.org>

References:
- rdflib / CVE-2019-7653
  - From: Brian May <brian@linuxpenguins.xyz>
- Re: rdflib / CVE-2019-7653
  - From: "Chris Lamb" <lamby@debian.org>
- Re: rdflib / CVE-2019-7653
  - From: Brian May <bam@debian.org>
- Re: rdflib / CVE-2019-7653
  - From: "Chris Lamb" <lamby@debian.org>

Prev by Date: sqlalchemy security fix available for testing
Next by Date: Crashes: Debian 8, new kernels and cifs
Previous by thread: Re: rdflib / CVE-2019-7653
Next by thread: Re: rdflib / CVE-2019-7653
Index(es):
- Date
- Thread