Bug 843759 (CVE-2013-1633) - VUL-0: CVE-2013-1633: python-setuptools: uses only http
Summary: VUL-0: CVE-2013-1633: python-setuptools: uses only http
Status: RESOLVED FIXED
Alias: CVE-2013-1633
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Deadline: 2014-03-06
Assignee: Security Team bot
QA Contact: Security Team bot
URL:
Whiteboard: maint:released:sle11-sp3:56969
Keywords:
Depends on:
Blocks:
 
Reported: 2013-10-02 19:01 UTC by Marcus Meissner
Modified: 2014-04-14 17:04 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
adjust-ssl-patch.patch (888 bytes, patch)
2014-04-04 13:43 UTC, Marcus Meissner 		Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2013-10-02 19:01:04 UTC 
CVE-2013-1633

easy_install in setuptools before 0.7 uses HTTP to retrieve packages from the
PyPI repository, and does not perform integrity checks on package contents,
which allows man-in-the-middle attackers to execute arbitrary code via a crafted
response to the default use of the product.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=994182
https://pypi.python.org/pypi/setuptools/0.9.8#changes
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1633

(Not sure if this is python-setuptools)
Comment 1 Swamp Workflow Management 2013-10-02 22:00:51 UTC 
bugbot adjusting priority
Comment 2 Jan Matejek 2013-11-18 16:00:13 UTC 
SR #29419 against SLE 11.

SLE 10 doesn't seem to have setuptools, and versions in openSUSE are not affected
Comment 4 Swamp Workflow Management 2014-02-20 15:21:08 UTC 
The SWAMPID for this issue is 56352.
This issue was rated as moderate.
Please submit fixed packages until 2014-03-06.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.
Comment 7 Marcus Meissner 2014-04-04 13:31:53 UTC 
update does currently not do certificate validation ...

in strace I see:

stat("/etc/pki/tls/certs/ca-bundle.crt", 0x7fff09f66020) = -1 ENOENT (No such file or directory)
stat("/etc/ssl/certs/ca-certificates.crt", 0x7fff09f66020) = -1 ENOENT (No such file or directory)
stat("/usr/share/ssl/certs/ca-bundle.crt", 0x7fff09f66020) = -1 ENOENT (No such file or directory)
stat("/usr/local/share/certs/ca-root.crt", 0x7fff09f66020) = -1 ENOENT (No such file or directory)
stat("/etc/ssl/cert.pem", 0x7fff09f66020) = -1 ENOENT (No such file or directory)
stat("/System/Library/OpenSSL/certs/cert.pem", 0x7fff09f66020) = -1 ENOENT (No such file or directory)


It should open /etc/ssl/certs/xxxxxx.0  files or similar.

Pointing the hostname to another one does not result in "bad hostname" errors.
Comment 8 Marcus Meissner 2014-04-04 13:43:14 UTC 
Created attachment 585162 [details]
adjust-ssl-patch.patch

adjusted patch, 

if we do not specify any bundle at all it will fallback to the system bundles (and pypi should be verifyable by those).
Comment 12 Jan Matejek 2014-04-10 14:44:56 UTC 
thanks for the patch (and for fixing my submit).
handing over to security again
Comment 13 Swamp Workflow Management 2014-04-14 13:47:19 UTC 
Update released for: python-setuptools
Products:
SLE-DESKTOP 11-SP3 (i386, x86_64)
SLE-SDK 11-SP3 (i386, ia64, ppc64, s390x, x86_64)
Comment 14 Alexander Bergmann 2014-04-14 15:51:38 UTC 
Fixed and released. Closing bug.
Comment 15 Swamp Workflow Management 2014-04-14 17:04:21 UTC 
SUSE-SU-2014:0523-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 843759
CVE References: CVE-2013-1633
Sources used:
SUSE Linux Enterprise Software Development Kit 11 SP3 (src):    python-setuptools-0.6c8-10.19.6.1
SUSE Linux Enterprise Desktop 11 SP3 (src):    python-setuptools-0.6c8-10.19.6.1