Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 358663 (CVE-2010-3492)

Summary: <dev-lang/python-2.7.1-r1: Multiple vulnerabilities (CVE-2010-3492,CVE-2011-1015)
Product: Gentoo Security Reporter: Paweł Hajdan, Jr. (RETIRED) <phajdan.jr>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: alexanderyt, python
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://secunia.com/advisories/43463/
Whiteboard: A3 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on: 358717    
Bug Blocks:    

Description Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-03-13 09:10:16 UTC 
A vulnerability has been discovered in Python, which can be exploited by malicious people to disclose sensitive information.

The vulnerability is caused due to the "CGIHTTPServer" module incorrectly handling HTTP requests to scripts in the "cgi-bin" directory without e.g. "/" at the beginning of the URI. This can be exploited to retrieve the source code of CGI scripts by sending specially crafted requests to the server.

The vulnerability is confirmed in version 2.6.6. Other versions may also be affected.

Solution
Fixed in the SVN repository and version 2.7 and later.

Provided and/or discovered by
Reported by m.sucajtys in a Python bug.

Original Advisory
Python Bug 2254:
http://bugs.python.org/issue2254

http://secunia.com/advisories/43463/
Comment 1 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-03-13 09:12:10 UTC 
Python maintainers, is it OK to stabilize python-2.7.1-r1? Or would you prefer to backport the patch?
Comment 2 Arfrever Frehtes Taifersar Arahesis (RETIRED) gentoo-dev 2011-03-13 15:25:34 UTC 
The change is incompatible, so it cannot be backported. dev-lang/python-2.7.1-r1 will be stabilized in bug #358717.
Comment 3 Arfrever Frehtes Taifersar Arahesis (RETIRED) gentoo-dev 2011-03-13 15:40:14 UTC 
By the way, Python 2.7.1 fixes a bug, which isn't a security vulnerability, but received CVE-2010-3492.
http://bugs.python.org/issue6706
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3492
Comment 4 Arfrever Frehtes Taifersar Arahesis (RETIRED) gentoo-dev 2011-06-05 22:47:10 UTC 
Stabilization has been finished.
Comment 5 Tim Sammut (RETIRED) gentoo-dev 2011-06-06 01:56:17 UTC 
Arfrever, please do not change the status whiteboard. Thank you. Thanks too for the pointer on CVE-2010-3492.

Rerating as A3 for CVE-2010-3492 which the NVD lists as AV:N/AC:L/Au:N/C:N/I:N/A:P. Added to existing GLSA request.
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2011-06-24 00:17:51 UTC 
CVE-2010-3492 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3492):
  The asyncore module in Python before 3.2 does not properly handle
  unsuccessful calls to the accept function, and does not have accompanying
  documentation describing how daemon applications should handle unsuccessful
  calls to the accept function, which makes it easier for remote attackers to
  conduct denial of service attacks that terminate these applications via
  network connections.
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2011-06-24 20:03:49 UTC 
CVE-2011-1015 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1015):
  The is_cgi method in CGIHTTPServer.py in the CGIHTTPServer module in Python
  2.5, 2.6, and 3.0 allows remote attackers to read script source code via an
  HTTP GET request that lacks a / (slash) character at the beginning of the
  URI.
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2014-01-06 21:28:01 UTC 
This issue was resolved and addressed in
 GLSA 201401-04 at http://security.gentoo.org/glsa/glsa-201401-04.xml
by GLSA coordinator Sergey Popov (pinkbyte).