Date: Thu, 23 Feb 2012 14:47:01 -0700 From: Kurt Seifried <kseifried@...hat.com> To: oss-security@...ts.openwall.com CC: Jan Lieskovsky <jlieskov@...hat.com>, "Steven M. Christey" <coley@...us.mitre.org>, Clay Gerrard <clay.gerrard@...il.com>, Ian Bicking <ianbicking@...il.com>, Jan Pokorny <jpokorny@...hat.com>, David Malcolm <dmalcolm@...hat.com>, Luke Macken <lmacken@...hat.com> Subject: Re: CVE Request -- python-paste-script: Supplementary groups not dropped when started an application with "paster serve" as root On 02/23/2012 10:05 AM, Jan Lieskovsky wrote: > Hello Kurt, Steve, vendors, > > a security flaw was found in the way Paster, a pluggable command-line > frontend, > when started as root (for example to have access to privileged port) to > serve a > web based application, performed privileges dropping upon startup > (supplementary groups were not dropped properly regardless of the UID, GID > specified in the .ini configuration file or in the --user and --group CL > arguments). A remote attacker could use this flaw for example to read / > write > root GID accessible files, if the particular web application provided > remote > means for local file manipulation. > > Credit / Issue Reported by: Clay Gerrard > > References: >  > http://groups.google.com/group/paste-users/browse_thread/thread/2aa651ba331c2471 > >  https://bugzilla.redhat.com/show_bug.cgi?id=796790 > > Patch proposed by the issue reporter: >  > https://bitbucket.org/ianb/pastescript/pull-request/3/fix-group-permissions-for-pastescriptserve > > > Upstream patch: >  https://bitbucket.org/ianb/pastescript/changeset/a19e462769b4 > > Could you allocate a CVE id for this? > > Thank you && Regards, Jan. > -- > Jan iankko Lieskovsky / Red Hat Security Response Team Please use CVE-2012-0878 for this issue. -- Kurt Seifried Red Hat Security Response Team (SRT)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ