Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 204829

Summary: dev-python/cherrypy < 3.0.2-r1 Directory traversal via malicious cookie (CVE-2008-0252)
Product: Gentoo Security Reporter: Robert Buchholz (RETIRED) <rbu>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: python
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://secunia.com/advisories/28354/
Whiteboard: C2 [glsa]
Package list:
Runtime testing required: ---

Description Robert Buchholz (RETIRED) gentoo-dev 2008-01-07 22:03:59 UTC 
Secunia:
A vulnerability has been reported in CherryPy, which can be exploited by malicious people to bypass certain security settings.

The vulnerability is caused due to the improper handling of cookies when using file-based sessions. This can be exploited to access files outside the session directory by using directory traversal attacks via the session id.

The vulnerability is reported in version 2.2.1 and 3.0.2. Other versions may also be affected.

Solution:
Fixed in development version 3.1b1 and in the SVN repository.
http://www.cherrypy.org/changeset/1775
http://www.cherrypy.org/changeset/1774

Original Advisory:
http://www.cherrypy.org/ticket/744

See also:
https://bugzilla.redhat.com/show_bug.cgi?id=427664
Comment 1 Ali Polatel (RETIRED) gentoo-dev 2008-01-08 14:02:10 UTC 
cherrypy-3.0.2-r1 includes upstream fix. I want to drop cherrypy-2.* as soon as this one has enough keywords.
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2008-01-08 16:50:36 UTC 
Arches, please test and mark stable dev-python/cherrypy-3.0.2-r1.
Target keywords : "ia64 x86"
Comment 3 Markus Ullmann (RETIRED) gentoo-dev 2008-01-08 17:13:42 UTC 
We also need 2.2 updated as at least turbogears needs it
Comment 4 Raúl Porcel (RETIRED) gentoo-dev 2008-01-08 17:16:51 UTC 
ia64/x86 stable
Comment 5 Ali Polatel (RETIRED) gentoo-dev 2008-01-08 22:20:00 UTC 
(In reply to comment #3)
> We also need 2.2 updated as at least turbogears needs it
> 

Thanks for reminding. cherrypy-2.2-r2 has the backported patch. I've also fixed the tests for python-2.5 and dropped old versions.
Target keywords for this version are ia64 and x86 as well.
Comment 6 Robert Buchholz (RETIRED) gentoo-dev 2008-01-08 23:51:40 UTC 
Thanks a lot. Arches, here you go again.
Comment 7 Raúl Porcel (RETIRED) gentoo-dev 2008-01-09 14:56:10 UTC 
ia64/x86 stable
Comment 8 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-01-10 19:16:22 UTC 
voting time. I vote YES.
Comment 9 Robert Buchholz (RETIRED) gentoo-dev 2008-01-10 20:11:32 UTC 
This probably allows writing files outside of the session directory. Definately YES.
Comment 10 Robert Buchholz (RETIRED) gentoo-dev 2008-01-27 16:25:57 UTC 
GLSA 200801-11, thanks.