Obsolete package that causes Code Injection in testing/mozharness/requirements.txt
Categories
(Release Engineering :: Applications: MozharnessCore, defect)
Tracking
(firefox139 fixed)
| Tracking | Status | |
|---|---|---|
| firefox139 | --- | fixed |
People
(Reporter: u771097, Assigned: jcristau)
Details
(Keywords: reporter-external, sec-audit)
Attachments
(2 files)
Снимок экрана (1).png
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36
Steps to reproduce:
In file mozilla/gecko-dev/testing/mozharness/requirements.txt
Identify the use of outdated or insecure dependencies such as logilab-common (1.4.2) and pylint (0.27.0).
Notice that these dependencies are vulnerable to code injection due to the unsafe use of os.system in related code paths, specifically via package_index module’s download functions.
The vulnerability in question is related to outdated versions of two packages - logilab-common and pylint, which in turn depend on setuptools (in the old version 40.5.0), which leads to a Code Injection vulnerability through the use of an insecure os.system function when loading packages.
POC https://huntr.com/bounties/d6362117-ad57-4e83-951f-b8141c6e7ca5
Actual results:
The presence of these outdated packages with known vulnerabilities allows for remote code execution, potentially allowing an attacker to inject arbitrary commands into the build process.
Expected results:
The dependencies should be updated to secure versions
|
||
Updated•1 month ago
|
|
||
Updated•1 month ago
|
|
|
||
Updated•1 month ago
|
|
Assignee | |
Comment 1•1 month ago
|
||
As far as I can tell this file is unused?
(In reply to Julien Cristau [:jcristau] from comment #1)
As far as I can tell this file is unused?
It is used to download python file dependencies to perform the test, you can check the README file
(In reply to RuslanSemchenko from comment #2)
(In reply to Julien Cristau [:jcristau] from comment #1)
As far as I can tell this file is unused?
It is used to download python file dependencies to perform the test, you can check the README file
He wouldn't be there at all if he wasn't needed.
|
||
Comment 4•29 days ago
|
||
Frida: do these components fall under the web bounty program (CI issues seem to?) or the client bounty program?
|
|
||
Comment 5•29 days ago
|
||
Outdated packages are a potential risk, but there's a gap between "in condition X a bad thing will happen" and "I can make your build system have condition X".
It's probably easier to remove or update these packages than to prove there's an actual problem here.
|
|
Assignee | |
Comment 6•29 days ago
|
||
|
||
Updated•29 days ago
|
But is it really necessary to delete it at all? As for me, it is necessary to update to newer versions ones and that's it
(In reply to RuslanSemchenko from comment #7)
But is it really necessary to delete it at all? As for me, it is necessary to update to newer versions ones and that's it
in requirements.txt
These packages are needed for mozharness unit tests.
Output from 'pip freeze'; we may be able to use other versions of the below packages.
|
||
Comment 9•24 days ago
|
||
Hello Dan, gecko-dev repo is out of scope of the web bug bounty. Thanks.
|
||
Comment 10•24 days ago
|
||
|
|
Assignee | |
Comment 11•24 days ago
|
||
|
|
||
Comment 12•23 days ago
|
||
While the file in the tree may have referenced a vulnerable thing, that does not mean the repository is actually vulnerable. The fact that we could remove it without impact tells me that it was an unused file.
When reporting a bug that something is out of date and vulnerable, we will frequently just update the component. Sometimes we can tell immediately that we are vulnerable from an outdated component (and thus can award a bounty), but when we can identify no path to vulnerability the burden is upon the filer to demonstrate that there is a path to exploitation to qualify for a bounty.
Description
•