Python security team

Hi,

I would like to know if a Python security team does exist. I sent an email
about an imageop issue, and I didn't get any answer. Later I learned that a
security ticket was created, I don't have access to it.

First, I would like to access to these informations. Not only this issue, but
all security related issues. I have some knowledges about security and I can
help to resolve issues and/or estimate the criticity of an issue.

Second, I would like to help to fix all Python security issues. It looks like
Python community isn't very reactive (proactive?) about security. Eg. a DoS
was reported in smtpd server (integrated to Python)... 15 months ago. A patch
is available but it's not applied in Python trunk.

Third, I'm also looking for a document explaining "how Python is secure" (!).
If an user can run arbitrary Python code, we know that it can do anything
(read/remove any file, create/kill any process, read/write anywhere in
memory, etc.). Brett wrote a paper about CPython sandboxing. PyPy is also
working on sandboxing using two interpreters: one has high priviledge and
execute instructions from the second interpreter (after checking the
permissions and arguments). So is there somewhere a document to explain to
current status of Python security?

--
Victor Stinner aka haypo
http://www.haypocalc.com/blog/
_______________________________________________
Python-Dev mailing list
Python-Dev@...
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: http://mail.python.org/mailman/options/python-dev/lists%40nabble.com

On Sat, Sep 27, 2008 at 8:54 AM, Victor Stinner
<victor.stinner@...> wrote:
> Second, I would like to help to fix all Python security issues. It looks like
> Python community isn't very reactive (proactive?) about security. Eg. a DoS
> was reported in smtpd server (integrated to Python)... 15 months ago. A patch
> is available but it's not applied in Python trunk.

The smtpd module is not meant to be used without modification.  It is
the responsibility of the application writer to decide the limitations
of the emails they want to allow sending, and subsequently handle the
case where emails overrun that limit.  That the bug wasn't assigned to
me outright (I am the maintainer of asyncore, asynchat, and smtpd) was
an understandable mistake.

 - Josiah
_______________________________________________
Python-Dev mailing list
Python-Dev@...
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: http://mail.python.org/mailman/options/python-dev/lists%40nabble.com

On Sat, Sep 27, 2008 at 8:54 AM, Victor Stinner
<victor.stinner@...> wrote:
> Hi,
>
> I would like to know if a Python security team does exist. I sent an email
> about an imageop issue, and I didn't get any answer. Later I learned that a
> security ticket was created, I don't have access to it.
>

Yes, the PSRT (Python Security Response Team) does exist. We did get
your email; sorry we didn't respond. There are very few members on
that list and most of them are extremely busy. Responding to your
email just slipped through the cracks. I believe Benjamin was the last
person to work on your submitted patch.

> First, I would like to access to these informations. Not only this issue, but
> all security related issues. I have some knowledges about security and I can
> help to resolve issues and/or estimate the criticity of an issue.
>

That would require commit privileges first. Don't know if the group
requires that a person have a decent amount of time committing to the
core first (I just joined the list in late July).

> Second, I would like to help to fix all Python security issues. It looks like
> Python community isn't very reactive (proactive?) about security. Eg. a DoS
> was reported in smtpd server (integrated to Python)... 15 months ago. A patch
> is available but it's not applied in Python trunk.
>

Historically we have not been proactive. No one on the core team (that
I know of) would claim they are a security expert. And with Python not
making any claims to being secure, we just don't worry about DoS
stuff, etc.; only the severe buffer overflow attacks that get reported
and such typically get immediate attention. Considering we have a
Crashers directory in the test suite I think that shows we are not
stressed over plugging every potential crash (although we obviously
would like to).

> Third, I'm also looking for a document explaining "how Python is secure" (!).
> If an user can run arbitrary Python code, we know that it can do anything
> (read/remove any file, create/kill any process, read/write anywhere in
> memory, etc.). Brett wrote a paper about CPython sandboxing. PyPy is also
> working on sandboxing using two interpreters: one has high priviledge and
> execute instructions from the second interpreter (after checking the
> permissions and arguments). So is there somewhere a document to explain to
> current status of Python security?
>

Nope. I think my paper and blog posts are about the best you are going
to find since we removed Bastion/rexec. Basically the philosophy has
been "fix privilege escalation stuff immediately, fix crashers when
the fix is simple or someone has the time to fix the complicated
ones". Or at least that is the philosophy I personally have followed.

-Brett
_______________________________________________
Python-Dev mailing list
Python-Dev@...
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: http://mail.python.org/mailman/options/python-dev/lists%40nabble.com

Brett Cannon wrote: [...]

If we don't have a documented procedure, or if we do have a procedure
and it isn't being followed, we can't be said to be taking security
seriously, which I would find disappointing. This is one of the few
areas where we probably *do* need to be meticulous, and the absence of a
reply to a security report isn't really satisfactory.

Perhaps if the PSF does eventually hire some paid help, running the
secretarial and administrative portions of the security team would help
the busy members to avoid such issues dropping through the cracks in future.

regards
 Steve
--
Steve Holden        +1 571 484 6266   +1 800 494 3119
Holden Web LLC              http://www.holdenweb.com/

_______________________________________________
Python-Dev mailing list
Python-Dev@...
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: http://mail.python.org/mailman/options/python-dev/lists%40nabble.com

Le Sunday 28 September 2008 02:45:14 Brett Cannon, vous avez écrit :
> > Second, I would like to help to fix all Python security issues. It looks
> > like Python community isn't very reactive (proactive?) about security.
> > Eg. a DoS was reported in smtpd server (integrated to Python)... 15
> > months ago. A patch is available but it's not applied in Python trunk.
>
> Historically we have not been proactive.

Well, I just asked to know the current status. First step for a secure program
is to know its limits ;)

> Nope. I think my paper and blog posts are about the best you are going
> to find

I will try to write a document about Python and security next week.


--
Victor Stinner aka haypo
http://www.haypocalc.com/blog/
_______________________________________________
Python-Dev mailing list
Python-Dev@...
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: http://mail.python.org/mailman/options/python-dev/lists%40nabble.com

On Sun, Sep 28, 2008 at 6:39 AM, Steve Holden <steve@...> wrote:
That actually would be extremely beneficial since as right now a big
problem we have is writing up the official announcement that some
security issue has been plugged and then sticking up the patches
online for people to download.

-Brett
_______________________________________________
Python-Dev mailing list
Python-Dev@...
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: http://mail.python.org/mailman/options/python-dev/lists%40nabble.com

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Brett Cannon napsal(a):
commit privileges?
I would be interested in joining the PSRT list too - as a python
maintainer for openSUSE, i think that it would be beneficial for both my
and your work. And i can imagine that maintainers from other
distributions have similar opinion on this ;)
And that does not necessarily mean commit privileges, right?

Or is this an issue of trust, where "we trust you enough to make changes
to the core" equals "we also trust you enough to see the security issues" ?

regards
jan matejek
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org

iEYEARECAAYFAkjgxgsACgkQjBrWA+AvBr+8IACfdh6ia9btlB4YrD+FI49CI5rv
8PcAoKQJVdie4YKDzLxaJCE33/TakcdW
=Y8Ck
-----END PGP SIGNATURE-----
_______________________________________________
Python-Dev mailing list
Python-Dev@...
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: http://mail.python.org/mailman/options/python-dev/lists%40nabble.com

On Sat, Sep 27, 2008 at 8:45 PM, Brett Cannon <brett@...> wrote:
I would be interested in participating. Is there any documentation
about the team or the processes? My Google search just turned up a
bunch of mailing list posts looking for team members.

--
David
http://www.traceback.org
_______________________________________________
Python-Dev mailing list
Python-Dev@...
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: http://mail.python.org/mailman/options/python-dev/lists%40nabble.com

On Mon, Sep 29, 2008 at 5:11 AM, Jan Matejek <jan.matejek@...> wrote:
Traditionally we have been extremely careful in selecting people to
join the PSRT -- basically people that have many years of reputation
*within the Python community*.

I think we may have to expand our selection creteria, since the
existing approach has led to a small PSRT whose members are all too
busy to do the necessary legwork. At the same time we need to remain
selective -- I don't think having a crowd of hundreds would be
productive, and we need to be sure that every single member can
absolutely be trusted to take security seriously.

To answer your question directly, I don't think that just being the
Python maintainer for some Linux distribution is enough to qualify --
if our process worked well enough, you'd be getting the patches from
us via some downstream-flowing distribution mechanism that reaches
only trusted people within each vendor organization. I don't happen to
know you personally -- but perhaps other current members of the PSRT
do and that could be enough to secure an invitation.

--
--Guido van Rossum (home page: http://www.python.org/~guido/)
_______________________________________________
Python-Dev mailing list
Python-Dev@...
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: http://mail.python.org/mailman/options/python-dev/lists%40nabble.com

On 27 Set, 20:04, "Josiah Carlson" <josiah.carl...@...> wrote:
The issue does not concern the emails but the buffer used internally
to store the received raw data sent by client.
The user who wants to fix the issue (#1745035) should override the
collect_incoming_data method which is usually not meant to be
modified.
Moreover, there are two RFCs which state that extremely long lines
must be truncated and an error reply must be returned.

--- Giampaolo
http://code.google.com/p/pyftpdlib/
_______________________________________________
Python-Dev mailing list
Python-Dev@...
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: http://mail.python.org/mailman/options/python-dev/lists%40nabble.com

On Mon, Sep 29, 2008 at 12:02 PM, Giampaolo Rodola' <gnewsg@...> wrote:
We can and should discuss the specifics of this item in the bug report
itself.  I should have replied there instead.

 - Josiah
_______________________________________________
Python-Dev mailing list
Python-Dev@...
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: http://mail.python.org/mailman/options/python-dev/lists%40nabble.com

Yeah, right. Let's continue there.

--- Giampaolo
http://code.google.com/p/pyftpdlib



On 29 Set, 22:44, "Josiah Carlson" <josiah.carl...@...> wrote: _______________________________________________
Python-Dev mailing list
Python-Dev@...
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: http://mail.python.org/mailman/options/python-dev/lists%40nabble.com

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Guido van Rossum napsal(a):
> I think we may have to expand our selection creteria, since the
> existing approach has led to a small PSRT whose members are all too
> busy to do the necessary legwork. At the same time we need to remain
> selective -- I don't think having a crowd of hundreds would be
> productive, and we need to be sure that every single member can
> absolutely be trusted to take security seriously.

of course

>
> To answer your question directly, I don't think that just being the
> Python maintainer for some Linux distribution is enough to qualify --
> if our process worked well enough, you'd be getting the patches from
> us via some downstream-flowing distribution mechanism that reaches
> only trusted people within each vendor organization. I don't happen to

Thanks for your answer. I guess the process is the real problem then.
- From what i could observe, the connection between vendor-sec and PSRT is
not really working as it should.
(And then of course you need some kind of upstream flow too, because not
everyone reports to PSRT.)

> know you personally -- but perhaps other current members of the PSRT
> do and that could be enough to secure an invitation.
>
No, i don't think that i'm known well enough to earn the invitation
(yet), this was more of a "so how the hell does it really work" question.


regards,
jan matejek
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org

iEYEARECAAYFAkjiDSUACgkQjBrWA+AvBr+zVwCfRGPsDUjREfUKBk7/9yzxDTRN
egUAoLQlQe1qJHU9IkbigpevDme6OqwT
=BYl7
-----END PGP SIGNATURE-----
_______________________________________________
Python-Dev mailing list
Python-Dev@...
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: http://mail.python.org/mailman/options/python-dev/lists%40nabble.com

Jan Mate wrote:
> Guido van Rossum napsal(a):
[...]
>> know you personally -- but perhaps other current members of the PSRT
>> do and that could be enough to secure an invitation.
>
> No, i don't think that i'm known well enough to earn the invitation
> (yet), this was more of a "so how the hell does it really work" question.
>
I haven't yet heard anyone make a convincing case that it does. It is a
great idea, and we *do* need to take security seriously, but at present
all we have is a bunch of well-intentioned and over-committed volunteers.

regards
 Steve
--
Steve Holden        +1 571 484 6266   +1 800 494 3119
Holden Web LLC              http://www.holdenweb.com/

_______________________________________________
Python-Dev mailing list
Python-Dev@...
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: http://mail.python.org/mailman/options/python-dev/lists%40nabble.com

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Sep 30, 2008, at 7:27 AM, Jan Mate(jek <jmatejek@...> <Jan  
Mate> wrote:

> Thanks for your answer. I guess the process is the real problem then.
> - From what i could observe, the connection between vendor-sec and  
> PSRT is
> not really working as it should.
> (And then of course you need some kind of upstream flow too, because  
> not
> everyone reports to PSRT.)

Please remember that the proper way to contact the PSRT is via security@...
.

FWIW, I am in favor of adding a few trusted people to the team, but  
only if they're willing to actually get stuff done :).  Clearly the  
current team is too swamped to act effectively, myself included.

- -Barry

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)

iQCVAwUBSOOe3XEjvBPtnXfVAQJ5JgP/dDg+SPLeQ4yBQ/CYxJEh3/Xm2B+2KV5U
9RUjp7W7z2iC/Bz7qwJlui0Z30KaaZ/whMqTuh+5ZYDlrmUDUh9Tl88OyngHOBxy
R/SYmluOlYUPdmjUHQYWXf5Bl9JVX9vtZ3LaFKPUo8KJf+dQDFSK3guxnIr5+Jjt
oJjX+52vilM=
=nJse
-----END PGP SIGNATURE-----
_______________________________________________
Python-Dev mailing list
Python-Dev@...
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: http://mail.python.org/mailman/options/python-dev/lists%40nabble.com