Python security team
Hi, I would like to know if a Python security team does exist. I sent an email about an imageop issue, and I didn't get any answer. Later I learned that a security ticket was created, I don't have access to it. First, I would like to access to these informations. Not only this issue, but all security related issues. I have some knowledges about security and I can help to resolve issues and/or estimate the criticity of an issue. Second, I would like to help to fix all Python security issues. It looks like Python community isn't very reactive (proactive?) about security. Eg. a DoS was reported in smtpd server (integrated to Python)... 15 months ago. A patch is available but it's not applied in Python trunk. Third, I'm also looking for a document explaining "how Python is secure" (!). If an user can run arbitrary Python code, we know that it can do anything (read/remove any file, create/kill any process, read/write anywhere in memory, etc.). Brett wrote a paper about CPython sandboxing. PyPy is also working on sandboxing using two interpreters: one has high priviledge and execute instructions from the second interpreter (after checking the permissions and arguments). So is there somewhere a document to explain to current status of Python security? -- Victor Stinner aka haypo http://www.haypocalc.com/blog/
On Sat, Sep 27, 2008 at 8:54 AM, Victor Stinner <victor.stinner@haypocalc.com> wrote:
Second, I would like to help to fix all Python security issues. It looks like Python community isn't very reactive (proactive?) about security. Eg. a DoS was reported in smtpd server (integrated to Python)... 15 months ago. A patch is available but it's not applied in Python trunk.
The smtpd module is not meant to be used without modification. It is the responsibility of the application writer to decide the limitations of the emails they want to allow sending, and subsequently handle the case where emails overrun that limit. That the bug wasn't assigned to me outright (I am the maintainer of asyncore, asynchat, and smtpd) was an understandable mistake. - Josiah
On 27 Set, 20:04, "Josiah Carlson" <josiah.carl...@gmail.com> wrote:
On Sat, Sep 27, 2008 at 8:54 AM, Victor Stinner
<victor.stin...@haypocalc.com> wrote:
Second, I would like to help to fix all Python security issues. It looks like Python community isn't very reactive (proactive?) about security. Eg. a DoS was reported in smtpd server (integrated to Python)... 15 months ago. A patch is available but it's not applied in Python trunk.
The smtpd module is not meant to be used without modification. It is the responsibility of the application writer to decide the limitations of the emails they want to allow sending, and subsequently handle the case where emails overrun that limit.
The issue does not concern the emails but the buffer used internally to store the received raw data sent by client. The user who wants to fix the issue (#1745035) should override the collect_incoming_data method which is usually not meant to be modified. Moreover, there are two RFCs which state that extremely long lines must be truncated and an error reply must be returned. --- Giampaolo http://code.google.com/p/pyftpdlib/
On Mon, Sep 29, 2008 at 12:02 PM, Giampaolo Rodola' <gnewsg@gmail.com> wrote:
On 27 Set, 20:04, "Josiah Carlson" <josiah.carl...@gmail.com> wrote:
On Sat, Sep 27, 2008 at 8:54 AM, Victor Stinner
<victor.stin...@haypocalc.com> wrote:
Second, I would like to help to fix all Python security issues. It looks like Python community isn't very reactive (proactive?) about security. Eg. a DoS was reported in smtpd server (integrated to Python)... 15 months ago. A patch is available but it's not applied in Python trunk.
The smtpd module is not meant to be used without modification. It is the responsibility of the application writer to decide the limitations of the emails they want to allow sending, and subsequently handle the case where emails overrun that limit.
The issue does not concern the emails but the buffer used internally to store the received raw data sent by client. The user who wants to fix the issue (#1745035) should override the collect_incoming_data method which is usually not meant to be modified. Moreover, there are two RFCs which state that extremely long lines must be truncated and an error reply must be returned.
We can and should discuss the specifics of this item in the bug report itself. I should have replied there instead. - Josiah
Yeah, right. Let's continue there. --- Giampaolo http://code.google.com/p/pyftpdlib On 29 Set, 22:44, "Josiah Carlson" <josiah.carl...@gmail.com> wrote:
On Mon, Sep 29, 2008 at 12:02 PM, Giampaolo Rodola' <gne...@gmail.com> wrote:
On 27 Set, 20:04, "Josiah Carlson" <josiah.carl...@gmail.com> wrote:
On Sat, Sep 27, 2008 at 8:54 AM, Victor Stinner
<victor.stin...@haypocalc.com> wrote:
Second, I would like to help to fix all Python security issues. It looks like Python community isn't very reactive (proactive?) about security. Eg. a DoS was reported in smtpd server (integrated to Python)... 15 months ago. A patch is available but it's not applied in Python trunk.
The smtpd module is not meant to be used without modification. It is the responsibility of the application writer to decide the limitations of the emails they want to allow sending, and subsequently handle the case where emails overrun that limit.
The issue does not concern the emails but the buffer used internally to store the received raw data sent by client. The user who wants to fix the issue (#1745035) should override the collect_incoming_data method which is usually not meant to be modified. Moreover, there are two RFCs which state that extremely long lines must be truncated and an error reply must be returned.
We can and should discuss the specifics of this item in the bug report itself. I should have replied there instead.
- Josiah _______________________________________________ Python-Dev mailing list Python-...@python.orghttp://mail.python.org/mailman/listinfo/python-dev Unsubscribe:http://mail.python.org/mailman/options/python-dev/python-dev2-garchiv...- Nascondi testo citato
- Mostra testo citato -
On Sat, Sep 27, 2008 at 8:54 AM, Victor Stinner <victor.stinner@haypocalc.com> wrote:
Hi,
I would like to know if a Python security team does exist. I sent an email about an imageop issue, and I didn't get any answer. Later I learned that a security ticket was created, I don't have access to it.
Yes, the PSRT (Python Security Response Team) does exist. We did get your email; sorry we didn't respond. There are very few members on that list and most of them are extremely busy. Responding to your email just slipped through the cracks. I believe Benjamin was the last person to work on your submitted patch.
First, I would like to access to these informations. Not only this issue, but all security related issues. I have some knowledges about security and I can help to resolve issues and/or estimate the criticity of an issue.
That would require commit privileges first. Don't know if the group requires that a person have a decent amount of time committing to the core first (I just joined the list in late July).
Second, I would like to help to fix all Python security issues. It looks like Python community isn't very reactive (proactive?) about security. Eg. a DoS was reported in smtpd server (integrated to Python)... 15 months ago. A patch is available but it's not applied in Python trunk.
Historically we have not been proactive. No one on the core team (that I know of) would claim they are a security expert. And with Python not making any claims to being secure, we just don't worry about DoS stuff, etc.; only the severe buffer overflow attacks that get reported and such typically get immediate attention. Considering we have a Crashers directory in the test suite I think that shows we are not stressed over plugging every potential crash (although we obviously would like to).
Third, I'm also looking for a document explaining "how Python is secure" (!). If an user can run arbitrary Python code, we know that it can do anything (read/remove any file, create/kill any process, read/write anywhere in memory, etc.). Brett wrote a paper about CPython sandboxing. PyPy is also working on sandboxing using two interpreters: one has high priviledge and execute instructions from the second interpreter (after checking the permissions and arguments). So is there somewhere a document to explain to current status of Python security?
Nope. I think my paper and blog posts are about the best you are going to find since we removed Bastion/rexec. Basically the philosophy has been "fix privilege escalation stuff immediately, fix crashers when the fix is simple or someone has the time to fix the complicated ones". Or at least that is the philosophy I personally have followed. -Brett
Brett Cannon wrote:
On Sat, Sep 27, 2008 at 8:54 AM, Victor Stinner <victor.stinner@haypocalc.com> wrote:
Hi,
I would like to know if a Python security team does exist. I sent an email about an imageop issue, and I didn't get any answer. Later I learned that a security ticket was created, I don't have access to it.
Yes, the PSRT (Python Security Response Team) does exist. We did get your email; sorry we didn't respond. There are very few members on that list and most of them are extremely busy. Responding to your email just slipped through the cracks. I believe Benjamin was the last person to work on your submitted patch.
[...] If we don't have a documented procedure, or if we do have a procedure and it isn't being followed, we can't be said to be taking security seriously, which I would find disappointing. This is one of the few areas where we probably *do* need to be meticulous, and the absence of a reply to a security report isn't really satisfactory. Perhaps if the PSF does eventually hire some paid help, running the secretarial and administrative portions of the security team would help the busy members to avoid such issues dropping through the cracks in future. regards Steve -- Steve Holden +1 571 484 6266 +1 800 494 3119 Holden Web LLC http://www.holdenweb.com/
On Sun, Sep 28, 2008 at 6:39 AM, Steve Holden <steve@holdenweb.com> wrote:
Brett Cannon wrote:
On Sat, Sep 27, 2008 at 8:54 AM, Victor Stinner <victor.stinner@haypocalc.com> wrote:
Hi,
I would like to know if a Python security team does exist. I sent an email about an imageop issue, and I didn't get any answer. Later I learned that a security ticket was created, I don't have access to it.
Yes, the PSRT (Python Security Response Team) does exist. We did get your email; sorry we didn't respond. There are very few members on that list and most of them are extremely busy. Responding to your email just slipped through the cracks. I believe Benjamin was the last person to work on your submitted patch.
[...]
If we don't have a documented procedure, or if we do have a procedure and it isn't being followed, we can't be said to be taking security seriously, which I would find disappointing. This is one of the few areas where we probably *do* need to be meticulous, and the absence of a reply to a security report isn't really satisfactory.
Perhaps if the PSF does eventually hire some paid help, running the secretarial and administrative portions of the security team would help the busy members to avoid such issues dropping through the cracks in future.
That actually would be extremely beneficial since as right now a big problem we have is writing up the official announcement that some security issue has been plugged and then sticking up the patches online for people to download. -Brett
Le Sunday 28 September 2008 02:45:14 Brett Cannon, vous avez écrit :
Second, I would like to help to fix all Python security issues. It looks like Python community isn't very reactive (proactive?) about security. Eg. a DoS was reported in smtpd server (integrated to Python)... 15 months ago. A patch is available but it's not applied in Python trunk.
Historically we have not been proactive.
Well, I just asked to know the current status. First step for a secure program is to know its limits ;)
Nope. I think my paper and blog posts are about the best you are going to find
I will try to write a document about Python and security next week. -- Victor Stinner aka haypo http://www.haypocalc.com/blog/
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Brett Cannon napsal(a):
On Sat, Sep 27, 2008 at 8:54 AM, Victor Stinner <victor.stinner@haypocalc.com> wrote:
First, I would like to access to these informations. Not only this issue, but all security related issues. I have some knowledges about security and I can help to resolve issues and/or estimate the criticity of an issue.
That would require commit privileges first. Don't know if the group requires that a person have a decent amount of time committing to the core first (I just joined the list in late July).
commit privileges? I would be interested in joining the PSRT list too - as a python maintainer for openSUSE, i think that it would be beneficial for both my and your work. And i can imagine that maintainers from other distributions have similar opinion on this ;) And that does not necessarily mean commit privileges, right? Or is this an issue of trust, where "we trust you enough to make changes to the core" equals "we also trust you enough to see the security issues" ? regards jan matejek -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iEYEARECAAYFAkjgxgsACgkQjBrWA+AvBr+8IACfdh6ia9btlB4YrD+FI49CI5rv 8PcAoKQJVdie4YKDzLxaJCE33/TakcdW =Y8Ck -----END PGP SIGNATURE-----
On Mon, Sep 29, 2008 at 5:11 AM, Jan Matejek <jan.matejek@novell.com> wrote:
Brett Cannon napsal(a):
On Sat, Sep 27, 2008 at 8:54 AM, Victor Stinner <victor.stinner@haypocalc.com> wrote:
First, I would like to access to these informations. Not only this issue, but all security related issues. I have some knowledges about security and I can help to resolve issues and/or estimate the criticity of an issue.
That would require commit privileges first. Don't know if the group requires that a person have a decent amount of time committing to the core first (I just joined the list in late July).
commit privileges? I would be interested in joining the PSRT list too - as a python maintainer for openSUSE, i think that it would be beneficial for both my and your work. And i can imagine that maintainers from other distributions have similar opinion on this ;) And that does not necessarily mean commit privileges, right?
Or is this an issue of trust, where "we trust you enough to make changes to the core" equals "we also trust you enough to see the security issues" ?
Traditionally we have been extremely careful in selecting people to join the PSRT -- basically people that have many years of reputation *within the Python community*. I think we may have to expand our selection creteria, since the existing approach has led to a small PSRT whose members are all too busy to do the necessary legwork. At the same time we need to remain selective -- I don't think having a crowd of hundreds would be productive, and we need to be sure that every single member can absolutely be trusted to take security seriously. To answer your question directly, I don't think that just being the Python maintainer for some Linux distribution is enough to qualify -- if our process worked well enough, you'd be getting the patches from us via some downstream-flowing distribution mechanism that reaches only trusted people within each vendor organization. I don't happen to know you personally -- but perhaps other current members of the PSRT do and that could be enough to secure an invitation. -- --Guido van Rossum (home page: http://www.python.org/~guido/)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Guido van Rossum napsal(a):
I think we may have to expand our selection creteria, since the existing approach has led to a small PSRT whose members are all too busy to do the necessary legwork. At the same time we need to remain selective -- I don't think having a crowd of hundreds would be productive, and we need to be sure that every single member can absolutely be trusted to take security seriously.
of course
To answer your question directly, I don't think that just being the Python maintainer for some Linux distribution is enough to qualify -- if our process worked well enough, you'd be getting the patches from us via some downstream-flowing distribution mechanism that reaches only trusted people within each vendor organization. I don't happen to
Thanks for your answer. I guess the process is the real problem then. - From what i could observe, the connection between vendor-sec and PSRT is not really working as it should. (And then of course you need some kind of upstream flow too, because not everyone reports to PSRT.)
know you personally -- but perhaps other current members of the PSRT do and that could be enough to secure an invitation.
No, i don't think that i'm known well enough to earn the invitation (yet), this was more of a "so how the hell does it really work" question. regards, jan matejek -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iEYEARECAAYFAkjiDSUACgkQjBrWA+AvBr+zVwCfRGPsDUjREfUKBk7/9yzxDTRN egUAoLQlQe1qJHU9IkbigpevDme6OqwT =BYl7 -----END PGP SIGNATURE-----
Jan Mate wrote:
Guido van Rossum napsal(a): [...]
know you personally -- but perhaps other current members of the PSRT do and that could be enough to secure an invitation.
No, i don't think that i'm known well enough to earn the invitation (yet), this was more of a "so how the hell does it really work" question.
I haven't yet heard anyone make a convincing case that it does. It is a great idea, and we *do* need to take security seriously, but at present all we have is a bunch of well-intentioned and over-committed volunteers. regards Steve -- Steve Holden +1 571 484 6266 +1 800 494 3119 Holden Web LLC http://www.holdenweb.com/
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sep 30, 2008, at 7:27 AM, Jan Mate(jek <jmatejek@suse.cz> <Jan Mate> wrote:
Thanks for your answer. I guess the process is the real problem then. - From what i could observe, the connection between vendor-sec and PSRT is not really working as it should. (And then of course you need some kind of upstream flow too, because not everyone reports to PSRT.)
Please remember that the proper way to contact the PSRT is via security@python.org . FWIW, I am in favor of adding a few trusted people to the team, but only if they're willing to actually get stuff done :). Clearly the current team is too swamped to act effectively, myself included. - -Barry -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (Darwin) iQCVAwUBSOOe3XEjvBPtnXfVAQJ5JgP/dDg+SPLeQ4yBQ/CYxJEh3/Xm2B+2KV5U 9RUjp7W7z2iC/Bz7qwJlui0Z30KaaZ/whMqTuh+5ZYDlrmUDUh9Tl88OyngHOBxy R/SYmluOlYUPdmjUHQYWXf5Bl9JVX9vtZ3LaFKPUo8KJf+dQDFSK3guxnIr5+Jjt oJjX+52vilM= =nJse -----END PGP SIGNATURE-----
On Sat, Sep 27, 2008 at 8:45 PM, Brett Cannon <brett@python.org> wrote:
On Sat, Sep 27, 2008 at 8:54 AM, Victor Stinner <victor.stinner@haypocalc.com> wrote:
I would like to know if a Python security team does exist. I sent an email about an imageop issue, and I didn't get any answer. Later I learned that a security ticket was created, I don't have access to it.
Yes, the PSRT (Python Security Response Team) does exist. We did get your email; sorry we didn't respond. There are very few members on that list and most of them are extremely busy. Responding to your email just slipped through the cracks. I believe Benjamin was the last person to work on your submitted patch.
I would be interested in participating. Is there any documentation about the team or the processes? My Google search just turned up a bunch of mailing list posts looking for team members. -- David http://www.traceback.org
participants (10)
-
Barry Warsaw
-
Brett Cannon
-
David Stanek
-
Giampaolo Rodola'
-
Guido van Rossum
-
Jan Mate(jek
-
Jan Matejek
-
Josiah Carlson
-
Steve Holden
-
Victor Stinner