gmailagent-devel

[Gmailagent-devel] Re: ATTENTION: very serious security bug in libgmail

[Stas Z <sta...@gm...>]

On 9/19/05, follower <fol...@my...> wrote:
>
> > Please check the libgmail version currently in CVS because we must rele=
ase
> > as soon as possible.
> I think it would be best to avoid "exec" too--there's really no way to
> safely handle arbitrary code in Python. (Hence the removal of the rexec
> module.) It would be better to use a simple parser.
I agree, but we use exec to parse the javascript from the Gmail pages.
This way we only have a problem when the Gmail developers add malicious
javascript.
None the less, I know exec can be a problem but at this moment it's a lot
safer then the former solution.
=20
> I can't give the code a thorough look through at the moment...
>=20
> > PS, Because this bug has such a high risk, especially on Windows, I sug=
gest
> > that we don't make the exploit code public. At least not for a few week=
s.
> Do as you see fit, but I think we should say people should stop using
> previous versions and upgrade immediately.
I meant not to disclose the actual way to exploit this. It's *very* importa=
nt
indeed to inform our users about the problem.

BTW, the actual exploit *and* solution came from Andrew.

Stas

--=20
A nation that continues year after year to spend more money on military def=
ense
than on programs of social uplift is approaching spiritual doom.
Martin Luther King, Jr.

Re: [Gmailagent-devel] Re: ATTENTION: very serious security bug in libgmail

[Andrew L. <one...@gm...>]

Hi all,

On exec vs. eval: just to be clear, I'm not claiming that exec is any
safer than eval; it obviously isn't.  The reasons I think it's safer
in this case have to do with how it's used.  First, since the
preprocessing required is much more rudimentary, it's much less likely
that we'll get something other than the actual Google-supplied
Javascript, and much less likely that said something else would be
syntactically correct.  Second, since it sets __builtins__ to None,
even a malicious Google programmer will have to work pretty hard to
break into the surrounding system.

By the way, you can get the same safety with eval:

>>> eval('open("f")', {'__builtins__': None}, {})

Traceback (most recent call last):
  File "<pyshell#0>", line 1, in -toplevel-
    eval('open("f")', {'__builtins__': None}, {})
  File "<string>", line 0, in -toplevel-
NameError: name 'open' is not defined

Now that I think about it, this would have been the fast way to plug
the hole.  I guess it's a case of tunnel vision that I didn't realize
and mention this before!  On the other hand, it's still a hole of the
"make libgmail eat up all available memory" variety, since you can
still evaluate, say, [0] * 1000000000.

I definitely agree that in the end we (both) need an actual
text-processing parser.

Andrew




On 9/19/05, Stas Z <sta...@gm...> wrote:
> On 9/19/05, follower <fol...@my...> wrote:
> >
> > > Please check the libgmail version currently in CVS because we must re=
lease
> > > as soon as possible.
> > I think it would be best to avoid "exec" too--there's really no way to
> > safely handle arbitrary code in Python. (Hence the removal of the rexec
> > module.) It would be better to use a simple parser.
> I agree, but we use exec to parse the javascript from the Gmail pages.
> This way we only have a problem when the Gmail developers add malicious
> javascript.
> None the less, I know exec can be a problem but at this moment it's a lot
> safer then the former solution.
>=20
> > I can't give the code a thorough look through at the moment...
> >
> > > PS, Because this bug has such a high risk, especially on Windows, I s=
uggest
> > > that we don't make the exploit code public. At least not for a few we=
eks.
> > Do as you see fit, but I think we should say people should stop using
> > previous versions and upgrade immediately.
> I meant not to disclose the actual way to exploit this. It's *very* impor=
tant
> indeed to inform our users about the problem.
>=20
> BTW, the actual exploit *and* solution came from Andrew.
>=20
> Stas
>=20
> --
> A nation that continues year after year to spend more money on military d=
efense
> than on programs of social uplift is approaching spiritual doom.
> Martin Luther King, Jr.
>=20
>=20
> -------------------------------------------------------
> SF.Net email is sponsored by:
> Tame your development challenges with Apache's Geronimo App Server.
> Download it for free - -and be entered to win a 42" plasma tv or your ver=
y
> own Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php
> _______________________________________________
> Gmailagent-devel mailing list
> Gma...@li...
> https://lists.sourceforge.net/lists/listinfo/gmailagent-devel
>