Bug 757542 (CVE-2011-4357) - CVE-2011-4357 clearsilver (neo_cgi): Format string flaw by processing CGI error messages in Python module
Summary: CVE-2011-4357 clearsilver (neo_cgi): Format string flaw by processing CGI err...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2011-4357
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 757543 757544
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-11-27 17:15 UTC by Jan Lieskovsky
Modified: 2019-09-29 12:48 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-04-05 15:44:52 UTC


Attachments (Terms of Use)
Local copy of patch, proposed in the Debian Bug Tracking System (292 bytes, patch)
2011-11-27 17:24 UTC, Jan Lieskovsky
no flags Details | Diff

Description Jan Lieskovsky 2011-11-27 17:15:42 UTC
A format string flaw was found in the Python CGI Kit (neo_cgi) module of ClearSilver, a language-neutral HTML templating system, processed certain input, leading to Common Gateway Interface (CGI) script errors. A remote attacker could provide a specially-crafted input, which once processed by an application, using the Python language API of ClearSilver neo_cgi module, could lead to that particular application crash, or, potentially arbitrary code execution with the privileges of the user running the application.

References:
[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=649322

Patch, proposed by the issue reporter to the Debian Bug Tracking System:
[2] http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=5;filename=fix-cgi-error-format-security.patch;att=1;bug=649322

Comment 1 Jan Lieskovsky 2011-11-27 17:17:14 UTC
This issue affects the versions of the clearsilver package, as shipped with Fedora EPEL 4, 5, and 6 releases. Please schedule an update.

--

This issue affects the versions of the clearsilver package, as shipped with Fedora release of 14, 15, and 16. Please schedule an update.

Comment 2 Jan Lieskovsky 2011-11-27 17:18:17 UTC
Created clearsilver tracking bugs for this issue

Affects: fedora-all [bug 757543]
Affects: epel-all [bug 757544]

Comment 3 Jan Lieskovsky 2011-11-27 17:22:22 UTC
CVE request:
[3] http://www.openwall.com/lists/oss-security/2011/11/27/1

Comment 4 Jan Lieskovsky 2011-11-27 17:24:23 UTC
Created attachment 537196 [details]
Local copy of patch, proposed in the Debian Bug Tracking System

Comment 5 Jan Lieskovsky 2011-11-28 09:56:46 UTC
Follow up from Colin Watson on this
( [4] http://www.openwall.com/lists/oss-security/2011/11/27/2 ):

On Sun, Nov 27, 2011 at 06:21:15PM +0100, Jan Lieskovsky wrote:
>   a format string flaw was found in the Python CGI Kit (neo_cgi)
> module of ClearSilver, a language-neutral HTML templating system,
> processed certain input, leading to Common Gateway Interface (CGI)
> script errors. A remote attacker could provide a specially-crafted
> input, which once processed by an application, using the Python
> language API of ClearSilver neo_cgi module, could lead to that
> particular application crash, or, potentially arbitrary code
> execution with the privileges of the user running the application.
Thanks for responding to this.  FWIW, I've attached a copy of the
original mail I sent to a couple of security@ addresses about this
vulnerability.

-- Colin Watson [cjwatson@debian.org] 

Subject: clearsilver: possible format string vulnerability in Python extension
From: Colin Watson <cjwatson@ubuntu.com>
Date: 11/17/2011 06:12 PM
To: security@debian.org, security@ubuntu.com
CC: clearsilver@packages.debian.org

While doing the Perl 5.14 transition in Ubuntu, I noticed that
clearsilver has a -Wformat-security warning (Ubuntu builds with
-Werror=format-security by default to catch exactly this kind of
problem):

  gcc -fno-strict-aliasing -DNDEBUG -g -fwrapv -O2 -Wall -Wstrict-prototypes -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -Wall -fPIC -Wall -I.. -D_FORTIFY_SOURCE=2 -fPIC -I/usr/include/python2.7 -I.. -D_FORTIFY_SOURCE=2 -fPIC -I../ -I/usr/include/python2.7 -c neo_cgi.c -o build/temp.linux-i686-2.7/neo_cgi.o
  neo_cgi.c: In function 'p_cgi_error':
  neo_cgi.c:181:3: error: format not a string literal and no format arguments [-Werror=format-security]

The effects of this can be reproduced like this:

  $ python
  >>> import neo_cgi
  >>> cgi = neo_cgi.CGI()
  >>> cgi.error('%s')
  Status: 500
  Content-Type: text/html
  
  <html><body>
  An error occured:<pre>|▒U▒LfU▒LfU▒@▒`   ▒`▒y▒, x▒</pre></body></html>

In fact, the examples shipped with clearsilver include exception
handlers that call cgi.error(s), so if you can manage to get a % into
something that will end up in a Python traceback then you can read bits
of process memory over the Internet and possibly do a limited amount of
modification too (with %n).

I have not reported this upstream.
http://code.google.com/p/clearsilver/source/browse/trunk/python/neo_cgi.c
shows that it has not yet been fixed.  Upstream appears to be
http://www.clearsilver.net/ / blong@fiction.net; perhaps somebody could
coordinate with him if you confirm this as a possible vulnerability?

Thanks,

-- Colin Watson [cjwatson@ubuntu.com]

Comment 6 Vincent Danen 2011-11-28 18:41:05 UTC
This was assigned CVE-2011-4357:

http://www.openwall.com/lists/oss-security/2011/11/28/6


Note You need to log in before you can comment on or make changes to this bug.