From redhat bugzilla at $URL: A security flaw was found in the way Paster, a pluggable command-line frontend, when started as root (for example to have access to privileged port) to serve a web based application, performed privileges dropping upon startup (supplementary groups were not dropped properly regardless of the UID, GID specified in the .ini configuration file or in the --user and --group CL arguments). A remote attacker could use this flaw for example to read / write root GID accessible files, if the particular web application provided remote means for local file manipulation. References: [1] http://groups.google.com/group/paste-users/browse_thread/thread/2aa651ba331c2471 Patch proposed by the issue reporter: [2] https://bitbucket.org/ianb/pastescript/pull-request/3/fix-group-permissions-for-pastescriptserve Upstream patch: [3] https://bitbucket.org/ianb/pastescript/changeset/a19e462769b4
Created attachment 303711 [details, diff] files/pastescript-1.7.5-usermod.patch This has the second of the two files included. The first relies on a hg clone import of the source which rather evades the issue of a current tarball based ebuild. It merely adds .pyc to a file .hgignore which isn't critical to its reason d'etre. The first is simply commented out the remainder contains the patch's source from bitbucket. testuser@archtester ~ $ paster Usage: /usr/bin/paster COMMAND Usage: paster [paster_options] COMMAND [command_options] Options: --version show program's version number and exit --plugin=PLUGINS Add a plugin to the list of commands (plugins are Egg specs; will also require() the Egg) -h, --help Show this help message Commands: create Create the file layout for a Python distribution help Display help make-config Install a package and create a fresh config file/directory points Show information about entry points post Run a request for the described application request Run a request for the described application serve Serve the described application setup-app Setup an application, given a config file proves it is working as user. Looking good
It is fixed in pastescript-2.0; current version is pastescript-2.0.2, which seems to add also python3 support, too.
*pastescript-2.0.2 (15 Jun 2015) + + 15 Jun 2015; Justin Lecher <jlec@gentoo.org> +pastescript-2.0.2.ebuild: + Version Bump; bug #405821; fixes CVE-2012-0878 +
@arches please stabilize dev-python/paste-2.0.2 dev-python/pastescript-2.0.2
ReCategorizing as B4
amd64 stable
x86 stable. Maintainer(s), please cleanup. Security, please vote.
+ 17 Jun 2015; Justin Lecher <jlec@gentoo.org> -pastescript-1.7.5-r2.ebuild: + Drop vulnerable version + Cleaned.
Just to clarify, only pastescript was vulnerable but paste was needed for the bump.
Arches and Maintainer(s), Thank you for your work. GLSA Vote: No
GLSA vote: no.