Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 204829 - dev-python/cherrypy < 3.0.2-r1 Directory traversal via malicious cookie (CVE-2008-0252)
Summary: dev-python/cherrypy < 3.0.2-r1 Directory traversal via malicious cookie (CVE-...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://secunia.com/advisories/28354/
Whiteboard: C2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2008-01-07 22:03 UTC by Robert Buchholz (RETIRED)
Modified: 2008-01-27 16:25 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2008-01-07 22:03:59 UTC
Secunia:
A vulnerability has been reported in CherryPy, which can be exploited by malicious people to bypass certain security settings.

The vulnerability is caused due to the improper handling of cookies when using file-based sessions. This can be exploited to access files outside the session directory by using directory traversal attacks via the session id.

The vulnerability is reported in version 2.2.1 and 3.0.2. Other versions may also be affected.

Solution:
Fixed in development version 3.1b1 and in the SVN repository.
http://www.cherrypy.org/changeset/1775
http://www.cherrypy.org/changeset/1774

Original Advisory:
http://www.cherrypy.org/ticket/744

See also:
https://bugzilla.redhat.com/show_bug.cgi?id=427664
Comment 1 Ali Polatel (RETIRED) gentoo-dev 2008-01-08 14:02:10 UTC
cherrypy-3.0.2-r1 includes upstream fix. I want to drop cherrypy-2.* as soon as this one has enough keywords.
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2008-01-08 16:50:36 UTC
Arches, please test and mark stable dev-python/cherrypy-3.0.2-r1.
Target keywords : "ia64 x86"
Comment 3 Markus Ullmann (RETIRED) gentoo-dev 2008-01-08 17:13:42 UTC
We also need 2.2 updated as at least turbogears needs it
Comment 4 Raúl Porcel (RETIRED) gentoo-dev 2008-01-08 17:16:51 UTC
ia64/x86 stable
Comment 5 Ali Polatel (RETIRED) gentoo-dev 2008-01-08 22:20:00 UTC
(In reply to comment #3)
> We also need 2.2 updated as at least turbogears needs it
> 

Thanks for reminding. cherrypy-2.2-r2 has the backported patch. I've also fixed the tests for python-2.5 and dropped old versions.
Target keywords for this version are ia64 and x86 as well.
Comment 6 Robert Buchholz (RETIRED) gentoo-dev 2008-01-08 23:51:40 UTC
Thanks a lot. Arches, here you go again.
Comment 7 Raúl Porcel (RETIRED) gentoo-dev 2008-01-09 14:56:10 UTC
ia64/x86 stable
Comment 8 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-01-10 19:16:22 UTC
voting time. I vote YES.
Comment 9 Robert Buchholz (RETIRED) gentoo-dev 2008-01-10 20:11:32 UTC
This probably allows writing files outside of the session directory. Definately YES.
Comment 10 Robert Buchholz (RETIRED) gentoo-dev 2008-01-27 16:25:57 UTC
GLSA 200801-11, thanks.