Home page logo
/

oss-sec logo oss-sec mailing list archives

Re: CVE Request -- python-paste-script: Supplementary groups not dropped when started an application with "paster serve" as root
From: Kurt Seifried <kseifried () redhat com>
Date: Thu, 23 Feb 2012 14:47:01 -0700

On 02/23/2012 10:05 AM, Jan Lieskovsky wrote:
Hello Kurt, Steve, vendors,

  a security flaw was found in the way Paster, a pluggable command-line
frontend,
when started as root (for example to have access to privileged port) to
serve a
web based application, performed privileges dropping upon startup
(supplementary groups were not dropped properly regardless of the UID, GID
specified in the .ini configuration file or in the --user and --group CL
arguments). A remote attacker could use this flaw for example to read /
write
root GID accessible files, if the particular web application provided
remote
means for local file manipulation.

Credit / Issue Reported by: Clay Gerrard

References:
[1]
http://groups.google.com/group/paste-users/browse_thread/thread/2aa651ba331c2471

[2] https://bugzilla.redhat.com/show_bug.cgi?id=796790

Patch proposed by the issue reporter:
[3]
https://bitbucket.org/ianb/pastescript/pull-request/3/fix-group-permissions-for-pastescriptserve


Upstream patch:
[4] https://bitbucket.org/ianb/pastescript/changeset/a19e462769b4

Could you allocate a CVE id for this?

Thank you && Regards, Jan.
-- 
Jan iankko Lieskovsky / Red Hat Security Response Team

Please use CVE-2012-0878 for this issue.

-- 
Kurt Seifried Red Hat Security Response Team (SRT)


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]