Bug 757542 (CVE-2011-4357)

Summary: CVE-2011-4357 clearsilver (neo_cgi): Format string flaw by processing CGI error messages in Python module
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: extras-orphan, gwync, rcvalle, vdanen
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-04-05 15:44:52 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 757543, 757544    
Bug Blocks:    
Attachments:
Description Flags
Local copy of patch, proposed in the Debian Bug Tracking System none

Description Jan Lieskovsky 2011-11-27 17:15:42 UTC 
A format string flaw was found in the Python CGI Kit (neo_cgi) module of ClearSilver, a language-neutral HTML templating system, processed certain input, leading to Common Gateway Interface (CGI) script errors. A remote attacker could provide a specially-crafted input, which once processed by an application, using the Python language API of ClearSilver neo_cgi module, could lead to that particular application crash, or, potentially arbitrary code execution with the privileges of the user running the application.

References:
[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=649322

Patch, proposed by the issue reporter to the Debian Bug Tracking System:
[2] http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=5;filename=fix-cgi-error-format-security.patch;att=1;bug=649322
Comment 1 Jan Lieskovsky 2011-11-27 17:17:14 UTC 
This issue affects the versions of the clearsilver package, as shipped with Fedora EPEL 4, 5, and 6 releases. Please schedule an update.

--

This issue affects the versions of the clearsilver package, as shipped with Fedora release of 14, 15, and 16. Please schedule an update.
Comment 2 Jan Lieskovsky 2011-11-27 17:18:17 UTC 
Created clearsilver tracking bugs for this issue

Affects: fedora-all [bug 757543]
Affects: epel-all [bug 757544]
Comment 3 Jan Lieskovsky 2011-11-27 17:22:22 UTC 
CVE request:
[3] http://www.openwall.com/lists/oss-security/2011/11/27/1
Comment 4 Jan Lieskovsky 2011-11-27 17:24:23 UTC 
Created attachment 537196 [details]
Local copy of patch, proposed in the Debian Bug Tracking System
Comment 5 Jan Lieskovsky 2011-11-28 09:56:46 UTC 
Follow up from Colin Watson on this
( [4] http://www.openwall.com/lists/oss-security/2011/11/27/2 ):

On Sun, Nov 27, 2011 at 06:21:15PM +0100, Jan Lieskovsky wrote:
>   a format string flaw was found in the Python CGI Kit (neo_cgi)
> module of ClearSilver, a language-neutral HTML templating system,
> processed certain input, leading to Common Gateway Interface (CGI)
> script errors. A remote attacker could provide a specially-crafted
> input, which once processed by an application, using the Python
> language API of ClearSilver neo_cgi module, could lead to that
> particular application crash, or, potentially arbitrary code
> execution with the privileges of the user running the application.
Thanks for responding to this.  FWIW, I've attached a copy of the
original mail I sent to a couple of security@ addresses about this
vulnerability.

-- Colin Watson [cjwatson] 

Subject: clearsilver: possible format string vulnerability in Python extension
From: Colin Watson <cjwatson>
Date: 11/17/2011 06:12 PM
To: security, security
CC: clearsilver.org

While doing the Perl 5.14 transition in Ubuntu, I noticed that
clearsilver has a -Wformat-security warning (Ubuntu builds with
-Werror=format-security by default to catch exactly this kind of
problem):

  gcc -fno-strict-aliasing -DNDEBUG -g -fwrapv -O2 -Wall -Wstrict-prototypes -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -Wall -fPIC -Wall -I.. -D_FORTIFY_SOURCE=2 -fPIC -I/usr/include/python2.7 -I.. -D_FORTIFY_SOURCE=2 -fPIC -I../ -I/usr/include/python2.7 -c neo_cgi.c -o build/temp.linux-i686-2.7/neo_cgi.o
  neo_cgi.c: In function 'p_cgi_error':
  neo_cgi.c:181:3: error: format not a string literal and no format arguments [-Werror=format-security]

The effects of this can be reproduced like this:

  $ python
  >>> import neo_cgi
  >>> cgi = neo_cgi.CGI()
  >>> cgi.error('%s')
  Status: 500
  Content-Type: text/html
  
  <html><body>
  An error occured:<pre>|▒U▒LfU▒LfU▒@▒`   ▒`▒y▒, x▒</pre></body></html>

In fact, the examples shipped with clearsilver include exception
handlers that call cgi.error(s), so if you can manage to get a % into
something that will end up in a Python traceback then you can read bits
of process memory over the Internet and possibly do a limited amount of
modification too (with %n).

I have not reported this upstream.
http://code.google.com/p/clearsilver/source/browse/trunk/python/neo_cgi.c
shows that it has not yet been fixed.  Upstream appears to be
http://www.clearsilver.net/ / blong; perhaps somebody could
coordinate with him if you confirm this as a possible vulnerability?

Thanks,

-- Colin Watson [cjwatson]
Comment 6 Vincent Danen 2011-11-28 18:41:05 UTC 
This was assigned CVE-2011-4357:

http://www.openwall.com/lists/oss-security/2011/11/28/6