Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 23 Feb 2012 14:47:01 -0700
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Jan Lieskovsky <jlieskov@...hat.com>,
        "Steven M. Christey" <coley@...us.mitre.org>,
        Clay Gerrard <clay.gerrard@...il.com>,
        Ian Bicking <ianbicking@...il.com>, Jan Pokorny <jpokorny@...hat.com>,
        David Malcolm <dmalcolm@...hat.com>, Luke Macken <lmacken@...hat.com>
Subject: Re: CVE Request -- python-paste-script: Supplementary
 groups not dropped when started an application with "paster serve" as root

On 02/23/2012 10:05 AM, Jan Lieskovsky wrote:
> Hello Kurt, Steve, vendors,
> 
>   a security flaw was found in the way Paster, a pluggable command-line
> frontend,
> when started as root (for example to have access to privileged port) to
> serve a
> web based application, performed privileges dropping upon startup
> (supplementary groups were not dropped properly regardless of the UID, GID
> specified in the .ini configuration file or in the --user and --group CL
> arguments). A remote attacker could use this flaw for example to read /
> write
> root GID accessible files, if the particular web application provided
> remote
> means for local file manipulation.
> 
> Credit / Issue Reported by: Clay Gerrard
> 
> References:
> [1]
> http://groups.google.com/group/paste-users/browse_thread/thread/2aa651ba331c2471
> 
> [2] https://bugzilla.redhat.com/show_bug.cgi?id=796790
> 
> Patch proposed by the issue reporter:
> [3]
> https://bitbucket.org/ianb/pastescript/pull-request/3/fix-group-permissions-for-pastescriptserve
> 
> 
> Upstream patch:
> [4] https://bitbucket.org/ianb/pastescript/changeset/a19e462769b4
> 
> Could you allocate a CVE id for this?
> 
> Thank you && Regards, Jan.
> -- 
> Jan iankko Lieskovsky / Red Hat Security Response Team

Please use CVE-2012-0878 for this issue.

-- 
Kurt Seifried Red Hat Security Response Team (SRT)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ