Bug 757651 (CVE-2011-4356)

Summary:	CVE-2011-4356 python-celery: Privilege escalation due improper sanitization of --uid and --gid arguments in certain tools (CELERYSA-0001)
Product:	[Other] Security Response	Reporter:	Jan Lieskovsky <jlieskov>
Component:	vulnerability	Assignee:	Red Hat Product Security <security-response-team>
Status:	CLOSED ERRATA	QA Contact:
Severity:	high	Docs Contact:
Priority:	high
Version:	unspecified	CC:	andrew, vdanen
Target Milestone:	---	Keywords:	Security
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2012-10-20 15:34:33 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Jan Lieskovsky 2011-11-28 09:04:25 UTC

A privilege escalation flaw was found in the way 'celeryd-multi', 'celeryd_detach', 'celerybeat' and 'celeryev' tools of the Celery, an asynchronous task queue based on distributed message passing, performed sanitization of --uid and --gid arguments, provided to the tools on the command line (only effective user id was changed, with the real one remaining unchanged). A local attacker could use this flaw to send messages via the message broker or use the Pickle serializer to load and execute arbitrary code with elevated privileges.

References:
[1] http://www.celeryproject.org/news/celery-24-released/
[2] http://docs.celeryproject.org/en/latest/changelog.html#version-2-4-4
[3] https://github.com/ask/celery/blob/master/docs/sec/CELERYSA-0001.txt
[4] https://github.com/ask/celery/pull/544

Relevant upstream patch:
[5] https://github.com/gadomski/celery/commit/2afc0ea2ea22bce25013c9867f89e41a48b9251b

Comment 1 Jan Lieskovsky 2011-11-28 09:06:09 UTC

This issue affects the version of the python-celery package, as shipped with Fedora EPEL 6.

--

This issue affects the versions of the python-celery package, as shipped with Fedora release of 14, 15, and 16.

Comment 2 Andrew Colin Kissa 2011-11-28 09:09:48 UTC

Updates already submitted prior to this advisory.

Comment 3 Jan Lieskovsky 2011-11-28 09:10:22 UTC

CVE request:
[6] http://www.openwall.com/lists/oss-security/2011/11/28/1

Comment 4 Jan Lieskovsky 2011-11-28 09:12:09 UTC

(In reply to comment #2)

Hi Andrew,

  right aware of that (will add the scheduled updates NVR to subsequent comment). We just needed to dedicate a Red Hat Bugzilla bug for this and request CVE identifier.

> Updates already submitted prior to this advisory.

Thank you for scheduling those!

Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

Comment 5 Jan Lieskovsky 2011-11-28 09:14:40 UTC

This issue is scheduled to be corrected in the following python-celery package updates:
1) python-celery-2.2.8-1.el6 for Fedora EPEL 6,
2) python-celery-2.2.8-1.fc14 for Fedora release of 14, 
3) python-celery-2.2.8-1.fc15 for Fedora release of 15,
4) python-celery-2.2.8-1.fc16 for Fedora release of 16.

Comment 6 Jan Lieskovsky 2011-11-28 09:16:15 UTC

(In reply to comment #2)
> Updates already submitted prior to this advisory.

Andrew,

  and yet one request -- would it be possible to schedule new python-celery package update for Fedora release of 14 too? (it's still supported [till one month after Fedora release of 16 has been released]

Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

Comment 7 Andrew Colin Kissa 2011-11-28 09:18:28 UTC

Okay will do F14 just now.

Comment 8 Jan Lieskovsky 2011-11-28 09:31:37 UTC

(In reply to comment #7)
> Okay will do F14 just now.

Brilliant, thank you.

Comment 9 Vincent Danen 2011-11-28 18:36:55 UTC

This was assigned the name CVE-2011-4356:

http://www.openwall.com/lists/oss-security/2011/11/28/5

Comment 10 Fedora Update System 2011-12-10 19:34:45 UTC

python-celery-2.2.8-1.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 11 Fedora Update System 2011-12-10 20:09:29 UTC

python-celery-2.2.8-1.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 12 Fedora Update System 2011-12-13 19:58:06 UTC

python-celery-2.2.8-1.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.