Bug 427664 - CVE-2008-0252 CherryPy: Malicious cookies may allow access to files outside the session directory
CVE-2008-0252 CherryPy: Malicious cookies may allow access to files outside t...
Product: Fedora EPEL
Classification: Fedora
Component: python-cherrypy (Show other bugs)
All All
low Severity high
: ---
: ---
Assigned To: Toshio Ernie Kuratomi
Fedora Extras Quality Assurance
: Reopened, Security
Depends On:
Blocks: CVE-2008-0252
  Show dependency treegraph
Reported: 2008-01-06 09:02 EST by Felix Schwarz
Modified: 2008-02-14 06:06 EST (History)
2 users (show)

See Also:
Fixed In Version: 2.2.1-8
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-01-28 23:05:54 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Backported fix (716 bytes, patch)
2008-01-06 12:08 EST, Toshio Kuratomi
no flags Details | Diff

  None (edit)
Description Felix Schwarz 2008-01-06 09:02:09 EST
In October, a security hole in CherryPy was found, see
http://www.cherrypy.org/ticket/744 for a detailed description and patches.

In EPEL 5, the latest CherryPy version is 2.2.1-6.el5 which does not contain the
Comment 1 Toshio Kuratomi 2008-01-06 12:08:43 EST
Created attachment 290919 [details]
Backported fix
Comment 2 Toshio Kuratomi 2008-01-06 12:13:24 EST
Backported fix attached.  I'll give it some brief testing.  Luke, should we push
this directly to EPEL stable or do we want to push it to EL testing first?

Also, we should update the main CherryPy to CP3.x and create a
python-cherrypy2-2.x package just for turbogears before it gets too late in the
devel cycle for Fedora-9 as that will limit the impact of these bugs.
Comment 3 Luke Macken 2008-01-06 13:31:10 EST
The patch looks fine, has been applied upstream, and doesn't seem to cause any
blatant regressions.  I'd be fine with pushing this directly to stable.

I agree, we should definitely split them out into separate packages.
Comment 4 Toshio Ernie Kuratomi 2008-01-06 15:36:10 EST
Packages built and requested for pushing to stable on EL-4, EL-5, F-7, and F-8.
Comment 5 Fedora Update System 2008-01-06 20:22:07 EST
python-cherrypy-2.2.1-8.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Fedora Update System 2008-01-06 20:28:45 EST
python-cherrypy-2.2.1-8.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Tomas Hoger 2008-01-14 02:57:10 EST
CVE id CVE-2008-0252 was assigned to this issue:

Directory traversal vulnerability in the _get_file_path function in
(1) lib/sessions.py in CherryPy 3.0.x up to 3.0.2, (2)
filter/sessionfilter.py in CherryPy 2.1, and (3)
filter/sessionfilter.py in CherryPy 2.x allows remote attackers to
create or delete arbitrary files, and possibly read and write portions
of arbitrary files, via a crafted session id in a cookie.

Comment 8 Toshio Ernie Kuratomi 2008-01-14 08:45:50 EST
Patch from http://www.cherrypy.org/changeset/1775 has been applied to F7, F8,
rawhide, EL-4, and EL-5 packages.  It is in the stable repository for each
Comment 9 Rob Crittenden 2008-01-28 21:49:27 EST
The patch is broken. It uses an undefined variable, fiePath. When used with
sessions in TurboGears it throws an exception every time. Here is the tail end
of the python stack trace:

line 448, in __getattr__
    data = sess.session_storage.load(sess.session_id)
line 268, in load
    file_path = self._get_file_path(id)
line 329, in _get_file_path
    if not os.path.normpath(filePath).startswith(storagePath):
NameError: global name 'filePath' is not defined
Comment 10 Toshio Ernie Kuratomi 2008-01-28 23:05:54 EST
New bug reports are appreciated.  That way we can track which versions bugs are
fixed in.

This second issue has been fixed in 2.2.1-10 for EL-4/EL-5. Fedora 7 and 8 are
already on 2.3.0 so they don't have this patch applied.

Note You need to log in before you can comment on or make changes to this bug.