Bug 680094 – CVE-2011-1015 python (CGIHTTPServer): CGI script source code disclosure

Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.

Bug 680094 - (CVE-2011-1015) CVE-2011-1015 python (CGIHTTPServer): CGI script source code disclosure

Summary:	CVE-2011-1015 python (CGIHTTPServer): CGI script source code disclosure

Status:	CLOSED ERRATA

Aliases:	CVE-2011-1015

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	low Severity low
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	public=20080307,reported=20110218,sou...
Keywords:	Security

Depends On:	680095 693954 693955 693956 693960 693961
Blocks:
	Show dependency tree / graph

Reported:	2011-02-24 05:46 EST by Jan Lieskovsky
Modified:	2011-05-19 09:44 EDT (History)
CC List:	5 users (show)

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2011-05-19 09:44:09 EDT
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2011:0491	normal	SHIPPED_LIVE	Moderate: python security update	2011-05-05 14:56:24 EDT
Red Hat Product Errata	RHSA-2011:0492	normal	SHIPPED_LIVE	Moderate: python security update	2011-05-05 14:20:30 EDT
Red Hat Product Errata	RHSA-2011:0554	normal	SHIPPED_LIVE	Moderate: python security, bug fix, and enhancement update	2011-05-19 07:35:29 EDT

Groups: None (edit)

Description Jan Lieskovsky 2011-02-24 05:46:51 EST

An information disclosure flaw was found in the way Python
CGI-savvy HTTP Server module processed HTTP GET requests
with relative path in the URI (relevant CGI scripts were
not executed, but rather their content displayed). A remote
attacker could use this flaw to obtain sensitive information.

Upstream bug report:
[1] http://bugs.python.org/issue2254

Related patch:
[2] http://svn.python.org/view?view=revision&revision=71303

Comment 1 Jan Lieskovsky 2011-02-24 05:48:23 EST

CVE Request:
[3] http://www.openwall.com/lists/oss-security/2011/02/23/27

Comment 2 Jan Lieskovsky 2011-02-24 05:51:08 EST

Created python tracking bugs for this issue

Affects: fedora-13 [bug 680095]

Comment 3 Jan Lieskovsky 2011-02-24 05:53:21 EST

This issue affects the versions of the python package, as shipped
with Red Hat Enterprise Linux 4, 5, and 6.

--

This issue affects the version of the python package, as shipped
with Fedora release of 13.

This issue does NOT affect the version of the python package, as
shipped with Fedora release of 14 (particular version already contains
the fix for this issue).

Comment 4 Jan Lieskovsky 2011-02-24 05:55:18 EST

Note related to backporting of particular upstream patch:
(from http://bugs.python.org/issue2254#msg85614):
=================================================

Fixed in trunk r71303.

This potentially changes the behavior of CGIHTTPServer (for the better)
so this is probably not appropriate to backport to a release branch
unless someone really considers the security of this to be severe.

If backported, the new module function should be expanded inline to
avoid adding a new (though undocumented) API.

Closing.

Comment 7 Vincent Danen 2011-02-25 17:24:40 EST

This issue has been assigned the name CVE-2011-1015:

http://www.openwall.com/lists/oss-security/2011/02/24/10

Comment 9 Huzaifa S. Sidhpurwala 2011-04-05 02:23:08 EDT

Regarding comment #4, this is only a demo class shipped with python, and we are fixing this, because there are other security issues to be fixed, so i dont see any issues even if the API changes slightly,

@David,
do you agree with this?

Comment 16 errata-xmlrpc 2011-05-05 14:20:50 EDT

This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2011:0492 https://rhn.redhat.com/errata/RHSA-2011-0492.html

Comment 17 errata-xmlrpc 2011-05-05 14:56:47 EDT

This issue has been addressed in following products:

  Red Hat Enterprise Linux 4

Via RHSA-2011:0491 https://rhn.redhat.com/errata/RHSA-2011-0491.html

Comment 18 errata-xmlrpc 2011-05-19 07:35:42 EDT

This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2011:0554 https://rhn.redhat.com/errata/RHSA-2011-0554.html

Note You need to log in before you can comment on or make changes to this bug.