Bug 990321 – CVE-2013-4482 luci: paster hidden untrusted path and "command" (callable association) injection

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 990321 - (CVE-2013-4482) CVE-2013-4482 luci: paster hidden untrusted path and "command" (callable association) injection

Summary:	CVE-2013-4482 luci: paster hidden untrusted path and "command" (callable asso...

Status:	CLOSED ERRATA

Aliases:	CVE-2013-4482

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	Unspecified Unspecified

Priority	medium Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=moderate,public=20131120,repor...
Keywords:	Security

Depends On:	1005385
Blocks:	974906 990750
	Show dependency tree / graph

Reported:	2013-07-30 17:51 EDT by Jan Pokorný
Modified:	2014-12-10 09:09 EST (History)
CC List:	6 users (show)

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	A flaw was found in the way the luci service was initialized. If a system administrator started the luci service from a directory that was writable to by a local user, that user could use this flaw to execute arbitrary code as the root or luci user.
Story Points:	---
Clone Of:
Environment:
Last Closed:	2013-11-21 09:25:36 EST
Type:	Bug
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2013:1603	normal	SHIPPED_LIVE	Moderate: luci security, bug fix, and enhancement update	2013-11-20 19:39:24 EST

Groups: None (edit)

Comment 12 Tomas Hoger 2013-10-30 08:01:11 EDT

The luci uses python-paste-script / paster to start serving its web application.  paster searches current working directory and parent directories of CWD for python *.egg-info files or directories.  These are used to define additional commands recognized by the paster script, or to add additional paths to sys.path for the started web application.  luci failed to force safe CWD to compensate for this feature of paster.  If system administrator started luci service while in untrusted directory (e.g. in /tmp), a local user with write permission to the directory could use this flaw to execute arbitrary code with root or luci user privileges.

This issue was addressed by changing service init script to change current working directory before starting luci.

Acknowledgements:

This issue was discovered by Jan Pokorný of Red Hat.

Comment 13 Tomas Hoger 2013-11-20 14:01:18 EST

Lifting embargo.

Comment 14 errata-xmlrpc 2013-11-21 05:33:38 EST

This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2013:1603 https://rhn.redhat.com/errata/RHSA-2013-1603.html

Note You need to log in before you can comment on or make changes to this bug.