Red Hat Bugzilla – Bug 990321
CVE-2013-4482 luci: paster hidden untrusted path and "command" (callable association) injection
Last modified: 2014-12-10 09:09:45 EST
The luci uses python-paste-script / paster to start serving its web application. paster searches current working directory and parent directories of CWD for python *.egg-info files or directories. These are used to define additional commands recognized by the paster script, or to add additional paths to sys.path for the started web application. luci failed to force safe CWD to compensate for this feature of paster. If system administrator started luci service while in untrusted directory (e.g. in /tmp), a local user with write permission to the directory could use this flaw to execute arbitrary code with root or luci user privileges.
This issue was addressed by changing service init script to change current working directory before starting luci.
This issue was discovered by Jan Pokorný of Red Hat.
This issue has been addressed in following products:
Red Hat Enterprise Linux 6
Via RHSA-2013:1603 https://rhn.redhat.com/errata/RHSA-2013-1603.html