A privilege escalation flaw was found in the way 'celeryd-multi', 'celeryd_detach', 'celerybeat' and 'celeryev' tools of the Celery, an asynchronous task queue based on distributed message passing, performed sanitization of --uid and --gid arguments, provided to the tools on the command line (only effective user id was changed, with the real one remaining unchanged). A local attacker could use this flaw to send messages via the message broker or use the Pickle serializer to load and execute arbitrary code with elevated privileges. References: [1] http://www.celeryproject.org/news/celery-24-released/ [2] http://docs.celeryproject.org/en/latest/changelog.html#version-2-4-4 [3] https://github.com/ask/celery/blob/master/docs/sec/CELERYSA-0001.txt [4] https://github.com/ask/celery/pull/544 Relevant upstream patch: [5] https://github.com/gadomski/celery/commit/2afc0ea2ea22bce25013c9867f89e41a48b9251b
This issue affects the version of the python-celery package, as shipped with Fedora EPEL 6. -- This issue affects the versions of the python-celery package, as shipped with Fedora release of 14, 15, and 16.
Updates already submitted prior to this advisory.
CVE request: [6] http://www.openwall.com/lists/oss-security/2011/11/28/1
(In reply to comment #2) Hi Andrew, right aware of that (will add the scheduled updates NVR to subsequent comment). We just needed to dedicate a Red Hat Bugzilla bug for this and request CVE identifier. > Updates already submitted prior to this advisory. Thank you for scheduling those! Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team
This issue is scheduled to be corrected in the following python-celery package updates: 1) python-celery-2.2.8-1.el6 for Fedora EPEL 6, 2) python-celery-2.2.8-1.fc14 for Fedora release of 14, 3) python-celery-2.2.8-1.fc15 for Fedora release of 15, 4) python-celery-2.2.8-1.fc16 for Fedora release of 16.
(In reply to comment #2) > Updates already submitted prior to this advisory. Andrew, and yet one request -- would it be possible to schedule new python-celery package update for Fedora release of 14 too? (it's still supported [till one month after Fedora release of 16 has been released] Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team
Okay will do F14 just now.
(In reply to comment #7) > Okay will do F14 just now. Brilliant, thank you.
This was assigned the name CVE-2011-4356: http://www.openwall.com/lists/oss-security/2011/11/28/5
python-celery-2.2.8-1.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report.
python-celery-2.2.8-1.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.
python-celery-2.2.8-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.