Bug 680094 (CVE-2011-1015)

Summary: CVE-2011-1015 python (CGIHTTPServer): CGI script source code disclosure
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: dmalcolm, ivazqueznet, jonathansteffan, katzj, psplicha
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-05-19 13:44:09 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 680095, 693954, 693955, 693956, 693960, 693961    
Bug Blocks:    

Description Jan Lieskovsky 2011-02-24 10:46:51 UTC 
An information disclosure flaw was found in the way Python
CGI-savvy HTTP Server module processed HTTP GET requests
with relative path in the URI (relevant CGI scripts were
not executed, but rather their content displayed). A remote
attacker could use this flaw to obtain sensitive information.

Upstream bug report:
[1] http://bugs.python.org/issue2254

Related patch:
[2] http://svn.python.org/view?view=revision&revision=71303
Comment 1 Jan Lieskovsky 2011-02-24 10:48:23 UTC 
CVE Request:
[3] http://www.openwall.com/lists/oss-security/2011/02/23/27
Comment 2 Jan Lieskovsky 2011-02-24 10:51:08 UTC 
Created python tracking bugs for this issue

Affects: fedora-13 [bug 680095]
Comment 3 Jan Lieskovsky 2011-02-24 10:53:21 UTC 
This issue affects the versions of the python package, as shipped
with Red Hat Enterprise Linux 4, 5, and 6.

--

This issue affects the version of the python package, as shipped
with Fedora release of 13.

This issue does NOT affect the version of the python package, as
shipped with Fedora release of 14 (particular version already contains
the fix for this issue).
Comment 4 Jan Lieskovsky 2011-02-24 10:55:18 UTC 
Note related to backporting of particular upstream patch:
(from http://bugs.python.org/issue2254#msg85614):
=================================================

Fixed in trunk r71303.

This potentially changes the behavior of CGIHTTPServer (for the better)
so this is probably not appropriate to backport to a release branch
unless someone really considers the security of this to be severe.

If backported, the new module function should be expanded inline to
avoid adding a new (though undocumented) API.

Closing.
Comment 7 Vincent Danen 2011-02-25 22:24:40 UTC 
This issue has been assigned the name CVE-2011-1015:

http://www.openwall.com/lists/oss-security/2011/02/24/10
Comment 9 Huzaifa S. Sidhpurwala 2011-04-05 06:23:08 UTC 
Regarding comment #4, this is only a demo class shipped with python, and we are fixing this, because there are other security issues to be fixed, so i dont see any issues even if the API changes slightly,

@David,
do you agree with this?
Comment 16 errata-xmlrpc 2011-05-05 18:20:50 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2011:0492 https://rhn.redhat.com/errata/RHSA-2011-0492.html
Comment 17 errata-xmlrpc 2011-05-05 18:56:47 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4

Via RHSA-2011:0491 https://rhn.redhat.com/errata/RHSA-2011-0491.html
Comment 18 errata-xmlrpc 2011-05-19 11:35:42 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2011:0554 https://rhn.redhat.com/errata/RHSA-2011-0554.html