Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 23 Feb 2012 18:05:06 +0100
From: Jan Lieskovsky <>
To: "Steven M. Christey" <>
CC:, Clay Gerrard <>,
        Ian Bicking <>, Jan Pokorny <>,
        David Malcolm <>, Luke Macken <>
Subject: CVE Request -- python-paste-script: Supplementary groups not dropped
 when started an application with "paster serve" as root

Hello Kurt, Steve, vendors,

   a security flaw was found in the way Paster, a pluggable command-line frontend,
when started as root (for example to have access to privileged port) to serve a
web based application, performed privileges dropping upon startup
(supplementary groups were not dropped properly regardless of the UID, GID
specified in the .ini configuration file or in the --user and --group CL
arguments). A remote attacker could use this flaw for example to read / write
root GID accessible files, if the particular web application provided remote
means for local file manipulation.

Credit / Issue Reported by: Clay Gerrard


Patch proposed by the issue reporter:

Upstream patch:

Could you allocate a CVE id for this?

Thank you && Regards, Jan.
Jan iankko Lieskovsky / Red Hat Security Response Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ