Red Hat Bugzilla – Full Text Bug Listing
|Summary:||CVE-2012-0878 python-paste-script: Supplementary groups not dropped when started an application with "paster serve" as root|
|Product:||[Other] Security Response||Reporter:||Jan Lieskovsky <jlieskov>|
|Component:||vulnerability||Assignee:||Red Hat Product Security <security-response-team>|
|Status:||CLOSED ERRATA||QA Contact:|
|Version:||unspecified||CC:||a.badger, dmalcolm, fschwarz, jpokorny, lmacken|
|Fixed In Version:||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2012-10-03 06:30:30 EDT||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Bug Depends On:||796672, 796809, 796810, 796811, 838974|
Description Jan Lieskovsky 2012-02-23 11:44:07 EST
A security flaw was found in the way Paster, a pluggable command-line frontend, when started as root (for example to have access to privileged port) to serve a web based application, performed privileges dropping upon startup (supplementary groups were not dropped properly regardless of the UID, GID specified in the .ini configuration file or in the --user and --group CL arguments). A remote attacker could use this flaw for example to read / write root GID accessible files, if the particular web application provided remote means for local file manipulation. References:  http://groups.google.com/group/paste-users/browse_thread/thread/2aa651ba331c2471 Patch proposed by the issue reporter:  https://bitbucket.org/ianb/pastescript/pull-request/3/fix-group-permissions-for-pastescriptserve Upstream patch:  https://bitbucket.org/ianb/pastescript/changeset/a19e462769b4
Comment 1 Jan Lieskovsky 2012-02-23 12:07:59 EST
CVE request:  http://www.openwall.com/lists/oss-security/2012/02/23/1
Comment 2 Jan Lieskovsky 2012-02-23 12:24:14 EST
This issue affects the version of the python-paste-script package, as shipped with Red Hat Enterprise Linux 6. -- This issue affects the versions of the python-paste-script package, as shipped with Fedora EPEL 4 and Fedora EPEL 5 releases. Please schedule an update. Note: Luke, assuming Fedora EPEL 4 will go EOL shortly. Have filed bug, but feel free to close it if you think it's not appropriate anymore. -- This issue affects the versions of the python-paste-script package, as shipped with Fedora release of 15 and 16. Please schedule an update.
Comment 3 Jan Lieskovsky 2012-02-23 12:25:36 EST
Created python-paste-script tracking bugs for this issue Affects: epel-4 [bug 796809] Affects: epel-5 [bug 796810] Affects: fedora-all [bug 796811]
Comment 5 Vincent Danen 2012-02-23 18:03:52 EST
This has been assigned CVE-2012-0878: http://www.openwall.com/lists/oss-security/2012/02/23/4
Comment 8 Fedora Update System 2012-03-11 14:52:45 EDT
python-paste-script-1.7.5-1.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.
Comment 10 Fedora Update System 2012-04-06 17:24:20 EDT
python-paste-script-1.7.5-4.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report.
Comment 11 Fedora Update System 2012-04-06 17:25:10 EDT
python-paste-script-1.7.5-4.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.
Comment 12 Fedora Update System 2012-04-11 21:56:58 EDT
python-paste-script-1.7.5-4.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.