Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Something strange happened with pre-release versions with wmagent #11188

Closed
rakovskij-stanislav opened this issue Jun 20, 2022 · 7 comments
Closed

Comments

@rakovskij-stanislav
Copy link

Impact of the bug
Malicious code execution

Describe the bug
There are a release candidates of wmagent (https://pypi.org/project/wmagent/1.3.3rc2/#history)
In 1.3.3rc2 and 1.3.3rc1 there is a requirements.txt file with this content:

# All dependencies needed to run WMAgent
Cheetah==2.4.0
Markdown==3.0.1
MySQL-python==1.2.5
SQLAlchemy==1.3.3
Sphinx==1.3.5
cx-Oracle==5.2.1
dbs-client==3.7.8
decorator==3.4.2
future==0.16.0
httplib2==0.7.3
psutil==5.6.6
py==1.7.0
pyOpenSSL==18.0.0
pycurl-client==3.7.8
pycurl==7.19.3
python-cjson==1.2.1
pyzmq==17.1.2
retry==0.9.1
stomp.py==4.1.15
rucio-clients==1.19.3

These dependencies will be installed by setup.py:

...
requirements = "requirements.txt"

...
setup(name='wmagent',
      version=wmcore_version,
      maintainer='CMS DMWM Group',
      maintainer_email='hn-cms-dmDevelopment@cern.ch',
      package_dir={'': 'src/python/'},
      packages=list_packages(['src/python/Utils',
                              'src/python/WMCore',
                              'src/python/WMComponent',
                              'src/python/WMQuality',
                              'src/python/PSetTweaks']),
      data_files=list_static_files(),
      install_requires=parse_requirements(requirements),
      url="https://github.com/dmwm/WMCore",
      license="Apache License, Version 2.0",
      )

dbs-client does not exist in pypi yet:

python3 -m pip install dbs-client
ERROR: Could not find a version that satisfies the requirement dbs-client (from versions: none)
ERROR: No matching distribution found for dbs-client

The problem: the intruder can create malicious dbs-client package on pypi and it will be installed by our package users.

Solution:
Need to delete these potential unsafe packages from pypi.

@rakovskij-stanislav
Copy link
Author

Found similar package, that depends on dbs-client, with the same problem: https://pypi.org/project/reqmgr2/

@rakovskij-stanislav
Copy link
Author

rakovskij-stanislav commented Jun 20, 2022

@amaltaro
Copy link
Contributor

@rakovskij-stanislav Hi Rakovskij, thank you very much for reporting this issue. I think those versions were the first ones to be uploaded to PyPi when we were commissioning this build/upload process.

@goughes could you please check how we can remove a given package version from PyPi (I think we can mark them as DELETED). Once you know what the changes are required, I'd suggest to mark anything that is below 2.0.x version as deleted/deprecated, whatever is needed to tell Pypi not to download that version.

@rakovskij-stanislav
Copy link
Author

@amaltaro, please check your email on cern.ch)

@amaltaro
Copy link
Contributor

@rakovskij-stanislav Hi Stanislav, sorry for the delayed response, we were discussing how to address this issue.
Would you be so kind to file a CVE for this?

@amaltaro
Copy link
Contributor

The old (test) PyPi releases have been deleted yesterday and an up-to-date wmagent release has been built and uploaded to PyPi (version 2.0.4). Thanks!
I think this issue can now be closed, but in case we missed anything, please do let us know. Thanks again Stanislav for reporting this problem!

@rakovskij-stanislav
Copy link
Author

rakovskij-stanislav commented Jul 29, 2022

@amaltaro,
CVE registered: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34558.
Thank you for taking vulnerability management processes seriously.


Rakovsky Stanislav (Positive Technologies)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

3 participants