Bug 1247732 – CVE-2015-5164 Satellite6: python pickle() processing problem in pulp

Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.

Bug 1247732 - (CVE-2015-5164) CVE-2015-5164 Satellite6: python pickle() processing problem in pulp

Summary:	CVE-2015-5164 Satellite6: python pickle() processing problem in pulp

Status:	POST

Aliases:	CVE-2015-5164

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	medium Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=moderate,public=20150728,repor...
Keywords:	Security

Depends On:	1246263
Blocks:
	Show dependency tree / graph

Reported:	2015-07-28 13:10 EDT by Kurt Seifried
Modified:	2018-09-19 11:24 EDT (History)
CC List:	15 users (show)

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	A flaw was found in the handling of Python pickle()-encoded messages in the Qpid server on Satellite 6. The Qpid server did not properly restrict message types that can be sent from managed content hosts. An attacker with administrative access to a managed content host could send arbitrary messages containing pickle()-encoded data, which would then be processed on the Satellite 6 server and result in possible code execution.
Story Points:	---
Clone Of:
Environment:
Last Closed:
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Pulp Redmine	23	Normal	CLOSED - CURRENTRELEASE	As a user, I can rest easy in the knowledge that Pulp's Celery tasks are not serialized dangerously	2016-03-23 14:32 EDT

Groups: None (edit)

Description Kurt Seifried 2015-07-28 13:10:26 EDT

Brian Bouterse of Red Hat reports:

The Qpid server on Satellite6 does not properly restrict message types that can
be sent from managed content hosts. An attacker with administrative access to a
managed content host could send arbitrary messages containing pickle() encoded
data which would then be processed on the Satellite6 server.

Comment 1 pulp-infra@redhat.com 2015-09-11 12:30:58 EDT

The Pulp upstream bug status is at NEW. Updating the external tracker on this bug.

Comment 2 pulp-infra@redhat.com 2015-09-11 12:31:00 EDT

The Pulp upstream bug priority is at Normal. Updating the external tracker on this bug.

Comment 3 Kurt Seifried 2015-11-06 00:44:31 EST

Acknowledgement:

This issue was discovered by Brian Bouterse of Red Hat.

Comment 5 pulp-infra@redhat.com 2015-12-09 10:31:40 EST

The Pulp upstream bug status is at ASSIGNED. Updating the external tracker on this bug.

Comment 6 pulp-infra@redhat.com 2015-12-11 11:31:28 EST

The Pulp upstream bug status is at MODIFIED. Updating the external tracker on this bug.

Comment 7 pulp-infra@redhat.com 2016-02-23 16:01:43 EST

The Pulp upstream bug status is at ON_QA. Updating the external tracker on this bug.

Comment 8 pulp-infra@redhat.com 2016-03-23 14:32:14 EDT

The Pulp upstream bug status is at CLOSED - CURRENTRELEASE. Updating the external tracker on this bug.

Comment 9 pulp-infra@redhat.com 2016-11-21 16:04:22 EST

All upstream Pulp bugs are at MODIFIED+. Moving this bug to POST.

Note You need to log in before you can comment on or make changes to this bug.