Bug 427664
| Summary: | CVE-2008-0252 CherryPy: Malicious cookies may allow access to files outside the session directory | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora EPEL | Reporter: | Felix Schwarz <felix.schwarz> | ||||
| Component: | python-cherrypy | Assignee: | Toshio Ernie Kuratomi <a.badger> | ||||
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
| Severity: | high | Docs Contact: | |||||
| Priority: | low | ||||||
| Version: | el5 | CC: | lkundrak, lmacken | ||||
| Target Milestone: | --- | Keywords: | Reopened, Security | ||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | All | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | 2.2.1-8 | Doc Type: | Bug Fix | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2008-01-29 04:05:54 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | |||||||
| Bug Blocks: | 432777 | ||||||
| Attachments: |
|
||||||
|
Description
Felix Schwarz
2008-01-06 14:02:09 UTC
Created attachment 290919 [details]
Backported fix
Backported fix attached. I'll give it some brief testing. Luke, should we push this directly to EPEL stable or do we want to push it to EL testing first? Also, we should update the main CherryPy to CP3.x and create a python-cherrypy2-2.x package just for turbogears before it gets too late in the devel cycle for Fedora-9 as that will limit the impact of these bugs. The patch looks fine, has been applied upstream, and doesn't seem to cause any blatant regressions. I'd be fine with pushing this directly to stable. I agree, we should definitely split them out into separate packages. Packages built and requested for pushing to stable on EL-4, EL-5, F-7, and F-8. python-cherrypy-2.2.1-8.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report. python-cherrypy-2.2.1-8.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report. CVE id CVE-2008-0252 was assigned to this issue: Directory traversal vulnerability in the _get_file_path function in (1) lib/sessions.py in CherryPy 3.0.x up to 3.0.2, (2) filter/sessionfilter.py in CherryPy 2.1, and (3) filter/sessionfilter.py in CherryPy 2.x allows remote attackers to create or delete arbitrary files, and possibly read and write portions of arbitrary files, via a crafted session id in a cookie. References: http://www.cherrypy.org/ticket/744 http://www.cherrypy.org/changeset/1774 http://www.cherrypy.org/changeset/1775 http://www.cherrypy.org/changeset/1776 https://bugs.gentoo.org/show_bug.cgi?id=204829 http://www.frsirt.com/english/advisories/2008/0039 http://secunia.com/advisories/28354 Patch from http://www.cherrypy.org/changeset/1775 has been applied to F7, F8, rawhide, EL-4, and EL-5 packages. It is in the stable repository for each distribution. The patch is broken. It uses an undefined variable, fiePath. When used with
sessions in TurboGears it throws an exception every time. Here is the tail end
of the python stack trace:
File
"/usr/lib/python2.5/site-packages/cherrypy/filters/sessionfilter.py",
line 448, in __getattr__
data = sess.session_storage.load(sess.session_id)
File
"/usr/lib/python2.5/site-packages/cherrypy/filters/sessionfilter.py",
line 268, in load
file_path = self._get_file_path(id)
File
"/usr/lib/python2.5/site-packages/cherrypy/filters/sessionfilter.py",
line 329, in _get_file_path
if not os.path.normpath(filePath).startswith(storagePath):
NameError: global name 'filePath' is not defined
New bug reports are appreciated. That way we can track which versions bugs are fixed in. This second issue has been fixed in 2.2.1-10 for EL-4/EL-5. Fedora 7 and 8 are already on 2.3.0 so they don't have this patch applied. |