Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > Python > Who should security issues be reported to?

Reply
Thread Tools

Who should security issues be reported to?

 
 
Duncan Booth
Guest
Posts: n/a
 
      01-28-2005
Paul Rubin wrote:

> Duncan Booth <(E-Mail Removed)> writes:
>> In other words, I'm intrigued how you managed to come up with
>> something you consider to be a security issue with Python since
>> Python offers no security. Perhaps, without revealing the actual
>> issue in question, you could give an example of some other situation
>> which, if it came up in Python you would consider to be a security
>> issue?

>
> Until fairly recently, the pickle module was insufficiently documented
> as being unsafe to use with hostile data, so people used it that way.
> As a result, the Cookie module's default settings allowed remote
> attackers to take over Python web apps. See SF bug 467384.


SF doesn't seem to know about any such bug any more.
Google finds me
http://mail.python.org/pipermail/pyt...er/007669.html
which appears to be SF bug 467384, but it says nothing about security or
the Cookie module, just that you wanted better documentation.

I think its a bit borderline whether this really was a security bug in
Python rather than just a problem with the way some people used Python. It
was a standard library which if used in the wrong way opens a security hole
on your machine, but there are plenty of ways to open security holes.
The response seems to have been to document that there is a security
concern here, but it is still just as possible to use python to expose your
machine to attack as it was before.

But thanks anyway, it does give me the sort of example I was asking for.
 
Reply With Quote
 
 
 
 
Paul Rubin
Guest
Posts: n/a
 
      01-28-2005
Duncan Booth <(E-Mail Removed)> writes:
> SF doesn't seem to know about any such bug any more.
> Google finds me
> http://mail.python.org/pipermail/pyt...er/007669.html
> which appears to be SF bug 467384, but it says nothing about security or
> the Cookie module, just that you wanted better documentation.


The Cookie issue is discussed some in that bug thread. But more
relevant is bug 471893. Sorry.

> I think its a bit borderline whether this really was a security bug in
> Python rather than just a problem with the way some people used Python.


If using a module the way it's documented results in a security hole,
that's definitely a security bug.

If using the module in an obvious and natural way that looks correct
results in a security hole, I'd say it's at least an issue needing
attention, even if some sufficiently hairsplitting reading of the
documentation says that usage is incorrect. Principle of least
astonishment.

I highly recommend reading the book "Security Engineering" by Ross
Anderson if you're trying to implement anything that might ever be
exposed to malicious parties. That includes any application that
communicates over the internet (such as web servers or clients), and
it includes any application that processes data downloaded from the
internet (such as jpeg viewers). Each of those classes of programs
has had examples of where hostile data could take over the
application.
 
Reply With Quote
 
 
 
 
Fuzzyman
Guest
Posts: n/a
 
      01-28-2005

http://www.velocityreviews.com/forums/(E-Mail Removed) wrote:
> Aahz wrote:
> > In article <(E-Mail Removed). com>,
> > <(E-Mail Removed)> wrote:
> > >
> > >Who are the appropriate people to report security problems to in
> > >respect of a module included with the Python distribution? I

don't
> > >feel it appropriate to be reporting it on general mailing lists.

> >
> > There is no generally appropriate non-public mechanism for

reporting
> > security issues. If you really think this needs to be handled
> > privately, do some research to find out which core developer is

most
> > likely to be familiar with it. Even before you do that, check
> > SourceForge to find out whether anyone else has reported it as a

bug.
>
> I find this response a bit dissappointing frankly. Open Source people
> make
> such a big deal about having lots of people being able to look at
> source
> code and from that discover security problems, thus making it somehow
> making it better than proprietary source code. From what I can see,

if
> an
> Open Source project is quite large with lots of people involved, it
> makes it
> very hard to try and identify who you should report something to when
> there is no clearly identifiable single point of contact for security
> related


The sourceforge bug tracker *is* the single right place to post such
issues. The py-dev mailing list would be a second *useful* place to
post such a comment, although not really the right place. The OP seemed
to want an individual with whom he could have a private conversation
about it.

Regards,


Fuzzy
http://www.voidspace.org.uk/python/index.shtml

> issues. Why should I have to go through hoops to try and track down

who
> is appropriate to send it to? All you need is a single advertised

email
> address
> for security issues which is forwarded onto a small group of

developers
> who can then evaluate the issue and forward it on to the appropriate
> person.
> Such developers could probably do such evaluation in minutes, yet I
> have
> to spend a lot longer trying to research who to send it to and then
> potentially
> wait days for some obscure person mentioned in the source code who

has
> not touched it in years to respond, if at all. Meanwhile you have a
> potentially
> severe security hole sitting there wating for someone to expliot,

with
> the
> only saving grace being the low relative numbers of users who may be
> using
> it in the insecure manner and that it would be hard to identify the
> actual web
> sites which suffer the problem.
>
> I'm sorry, but this isn't really good enough. If Open Source wants to
> say that
> they are better than these proprietary companies, they need to deal
> with these
> sorts of things more professionally and establish decent channels of
> communications for dealing with it.
>
> And yes I have tried mailing the only people mentioned in the module

in
> question and am still waiting for a response.


 
Reply With Quote
 
Paul Rubin
Guest
Posts: n/a
 
      01-28-2005
"Fuzzyman" <(E-Mail Removed)> writes:
> The sourceforge bug tracker *is* the single right place to post such
> issues. The py-dev mailing list would be a second *useful* place to
> post such a comment, although not really the right place. The OP seemed
> to want an individual with whom he could have a private conversation
> about it.


I think he wanted a place to send a bug report that wouldn't be
exposed to public view until the developers had a chance to issue a
patch. With bugzilla, for example, you can check a bug labelled "this
is a security bug, keep it confidential". There's lots of dilemmas
and some controversy about keeping any bug reports confidential in an
open source system. But the general strategy selected by Mozilla
after much debate seems to mostly work ok. It basically says develop
a patch quickly, keep the bug confidential while the patch is being
developed, and once the patch is available, notify distro maintainers
to install it, and then after a short delay (like a couple days),
publish the bug.

Note that anyone with access to the bug (that includes the reporter
and selected developers) can uncheck the box at any time, if they
think the bug no longer needs to be confidential. The bug then
becomes visible to the public.
 
Reply With Quote
 
Fredrik Lundh
Guest
Posts: n/a
 
      01-28-2005
Duncan Booth wrote:

> I think its a bit borderline whether this really was a security bug in
> Python rather than just a problem with the way some people used Python. It
> was a standard library which if used in the wrong way opens a security hole
> on your machine


for SmartCookie, that should be "if used, opens a security hole"

</F>



 
Reply With Quote
 
Duncan Booth
Guest
Posts: n/a
 
      01-28-2005
Paul Rubin wrote:

> The Cookie issue is discussed some in that bug thread. But more
> relevant is bug 471893. Sorry.


Thanks. There's an interesting comment in that thread:

A.M. Kuchling (akuchling) wrote:
> Date: 2003-02-06 09:29
>
> The Cookie classes that use pickle have DeprecationWarnings in
> 2.3, and should disappear in 2.4.


Its a real pity that nobody seems to have remembered to actually remove
them.

>> I think its a bit borderline whether this really was a security bug in
>> Python rather than just a problem with the way some people used Python.

>
> If using a module the way it's documented results in a security hole,
> that's definitely a security bug.
>
> If using the module in an obvious and natural way that looks correct
> results in a security hole, I'd say it's at least an issue needing
> attention, even if some sufficiently hairsplitting reading of the
> documentation says that usage is incorrect. Principle of least
> astonishment.


Agreed. Principle of least astonishment is definitely good.
 
Reply With Quote
 
Aahz
Guest
Posts: n/a
 
      01-28-2005
In article <(E-Mail Removed) .com>,
<(E-Mail Removed)> wrote:
>Aahz wrote:
>> In article <(E-Mail Removed). com>,
>> <(E-Mail Removed)> wrote:
>>>
>>>Who are the appropriate people to report security problems to in
>>>respect of a module included with the Python distribution? I don't
>>>feel it appropriate to be reporting it on general mailing lists.

>>
>> There is no generally appropriate non-public mechanism for reporting
>> security issues. If you really think this needs to be handled
>> privately, do some research to find out which core developer is most
>> likely to be familiar with it. Even before you do that, check
>> SourceForge to find out whether anyone else has reported it as a bug.

>
>I find this response a bit dissappointing frankly. Open Source people
>make such a big deal about having lots of people being able to look at
>source code and from that discover security problems, thus making it
>somehow making it better than proprietary source code.


That's generally true, but not universally. The key point you seem to
have missed in my response is "non-public mechanism". Historically,
Python security issues have been thrashed out in public; the Python
project does not have a release cycle that makes it possible to quickly
address security concerns, so keeping it private has little point.

Your decision to take the private route makes it your responsibility to
search for an appropriate mechanism.

>I'm sorry, but this isn't really good enough. If Open Source wants to
>say that they are better than these proprietary companies, they need
>to deal with these sorts of things more professionally and establish
>decent channels of communications for dealing with it.


As other people said, sounds like you want to volunteer for this. Which
would be fine -- but there's still not much point until/unless we get
enough volunteers to manage quicker release cycles. Then there's still
the problem of getting people to update their local copies of Python.
This is a complex issue.
--
Aahz ((E-Mail Removed)) <*> http://www.pythoncraft.com/

"19. A language that doesn't affect the way you think about programming,
is not worth knowing." --Alan Perlis
 
Reply With Quote
 
Tim Peters
Guest
Posts: n/a
 
      01-28-2005
[(E-Mail Removed)]
> Who are the appropriate people to report security problems to
> in respect of a module included with the Python distribution?
> I don't feel it appropriate to be reporting it on general mailing
> lists.


The Python project has no non-public resources for this. Filing a bug
report on SourceForge is the usual approach. If you must, you could
send email directly to Guido <(E-Mail Removed)>. He may or may
not have time to follow up on it; public disclosure is the norm in
this project. Be forewarned that despite that he currently works for
a security startup, his threshold for "security panic" is very high.
 
Reply With Quote
 
Aahz
Guest
Posts: n/a
 
      01-28-2005
In article <(E-Mail Removed)>,
Tim Peters <(E-Mail Removed)> wrote:
>[(E-Mail Removed)]
>>
>> Who are the appropriate people to report security problems to
>> in respect of a module included with the Python distribution?
>> I don't feel it appropriate to be reporting it on general mailing
>> lists.

>
>The Python project has no non-public resources for this. Filing a bug
>report on SourceForge is the usual approach. If you must, you could
>send email directly to Guido <(E-Mail Removed)>. He may or may
>not have time to follow up on it; public disclosure is the norm in
>this project. Be forewarned that despite that he currently works for
>a security startup, his threshold for "security panic" is very high.


You mean s/despite/because/ don't you?
--
Aahz ((E-Mail Removed)) <*> http://www.pythoncraft.com/

"19. A language that doesn't affect the way you think about programming,
is not worth knowing." --Alan Perlis
 
Reply With Quote
 
Terry Reedy
Guest
Posts: n/a
 
      01-28-2005
OP:
>>I find this response a bit dissappointing frankly. Open Source people
>>make such a big deal about having lots of people being able to look at
>>source code and from that discover security problems, thus making it
>>somehow making it better than proprietary source code.


OP: Did you discover this supposed security hole from black-box observation
of behavior or by being one of the 'lots of people being able to look at
source code', thereby giving evidence to the point?

Everyone: I say 'supposed' because
a) The OP has provided no info about his/her claim.
b) The OP's original post is a classical troll: blast volunteer developers
for not having anticipated and planned for a novel situation; argue against
things not said, at least now here, not recently; imply that volunteers own
him something. Most people with the expertise to detect a security hole
would know better.
c) The noise generated because of b) has alerted any malware writers
monitering c.l.p for hints about exploitable security holes that there
might be one in one of the few modules where such could reasonably be.

OP: If my doubts are wrong and you really do have something to quietly
report to the 'authority', then do so, and quit making a noise about it.

Terry J. Reedy



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Why does SpamCop tell me this should be reported to postmaster@postini.com? Lookout Computer Support 3 04-09-2006 04:38 PM
WiFi vulnerabilty reported by ZDnet Barb Bowman MVP-Windows Wireless Networking 0 01-17-2006 10:19 AM
same network-2 different strengths reported =?Utf-8?B?cHNhbG1pc3Q3?= Wireless Networking 1 11-20-2005 04:42 PM
Reported Wireless speed w/ repeater 7-9x Measured Speed Lance Wireless Networking 0 10-31-2004 09:31 PM
Backup Error: The device reported an error on a request to write data to media. Error reported: bad data. Ismaiel Computer Support 0 10-26-2004 11:42 AM



Advertisments