Bug 1111034 (CVE-2014-8583)

Summary: CVE-2014-8583 mod_wsgi: failure to handle errors when attempting to drop group privileges
Product: [Other] Security Response Reporter: Murray McAllister <mmcallis>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bkearney, bleanhar, carnil, cbillett, ccoleman, cpelland, cperry, dmcphers, extras-orphan, jdetiber, jdornak, jialiu, jkaluza, jkeck, jmatthew, jokajak, jokerman, jorton, jrusnack, katello-bugs, kseifried, lmacken, lmeyer, mmaslano, mmccomas, mmccune, mmcgrath, mmraka, mrunge, taw, tjay, tomckay, tsanders, vkaigoro, webstack-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-02-19 21:04:56 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1111035, 1111036, 1111037    
Bug Blocks: 1111043    
Attachments:
Description Flags
mod_wsgi-4.2.3 Vs mod_wsgi-4.2.4 diff none

Description Murray McAllister 2014-06-19 06:11:02 UTC 
mod_wsgi allows you to host Python applications on the Apache HTTP Server. It was reported that mod_wsgi failed to handle errors when attempting to drop group privileges. An error would be printed, but mod_wsgi would continue running with root group privileges.

If an administrator has configured mod_wsgi to allow less trusted users to run a WSGI application, they could use this flaw to escalate their privileges if a group-dropping function failed.

This issue has been fixed in the 4.2.4 release:

http://modwsgi.readthedocs.org/en/latest/release-notes/version-4.2.4.html

References:

http://seclists.org/oss-sec/2014/q2/545
http://seclists.org/oss-sec/2014/q2/555
Comment 1 Murray McAllister 2014-06-19 06:14:04 UTC 
Created python26-mod_wsgi tracking bugs for this issue:

Affects: epel-5 [bug 1111037]
Comment 2 Murray McAllister 2014-06-19 06:14:11 UTC 
Created mod_wsgi tracking bugs for this issue:

Affects: fedora-all [bug 1111035]
Affects: epel-5 [bug 1111036]
Comment 3 Murray McAllister 2014-06-19 06:17:27 UTC 
Created attachment 910266 [details]
mod_wsgi-4.2.3 Vs mod_wsgi-4.2.4 diff

A diff of upstream versions mod_wsgi-4.2.3 and mod_wsgi-4.2.4.zip. Note all the extra return() calls.
Comment 5 Tomas Hoger 2014-06-19 06:24:07 UTC 
Upstream commit:

https://github.com/GrahamDumpleton/mod_wsgi/commit/545354a80b9cc20d8b6916ca30542eab36c3b8bd
Comment 6 Murray McAllister 2014-06-19 06:25:58 UTC 
CVE request: http://www.openwall.com/lists/oss-security/2014/06/19/7
Comment 7 Kurt Seifried 2014-08-08 19:25:45 UTC 
Red Hat Update Infrastructure 2.1.3 is now in Production 2 Phase of the support and maintenance life cycle. This has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Update Infrastructure Life Cycle: https://access.redhat.com/support/policy/updates/rhui.
Comment 8 Vasyl Kaigorodov 2014-11-04 12:05:38 UTC 
CVE-2014-8583 was assigned to this issue: http://seclists.org/oss-sec/2014/q4/519
Comment 10 Kurt Seifried 2015-02-19 21:04:56 UTC 
Statement:

This issue affects the versions of mod_wsgi as shipped with Red Hat Enterprise Linux 6 and 7. Red Hat Product Security has rated this issue as having Moderate security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.