Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 405821 (CVE-2012-0878)

Summary: <dev-python/pastescript-2.0.2: Supplementary groups not dropped when started an application with "paster serve" as root (CVE-2012-0878)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: trivial CC: python
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugzilla.redhat.com/show_bug.cgi?id=796790
Whiteboard: B4 [noglsa]
Package list:
Runtime testing required: ---
Attachments:
Description Flags
files/pastescript-1.7.5-usermod.patch none

Description Agostino Sarubbo gentoo-dev 2012-02-25 21:21:26 UTC 
From redhat bugzilla at $URL:

A security flaw was found in the way Paster, a pluggable command-line frontend,
when started as root (for example to have access to privileged port) to serve a
web based application, performed privileges dropping upon startup
(supplementary groups were not dropped properly regardless of the UID, GID
specified in the .ini configuration file or in the --user and --group CL
arguments). A remote attacker could use this flaw for example to read / write
root GID accessible files, if the particular web application provided remote
means for local file manipulation.

References:
[1]
http://groups.google.com/group/paste-users/browse_thread/thread/2aa651ba331c2471

Patch proposed by the issue reporter:
[2]
https://bitbucket.org/ianb/pastescript/pull-request/3/fix-group-permissions-for-pastescriptserve

Upstream patch:
[3] https://bitbucket.org/ianb/pastescript/changeset/a19e462769b4
Comment 1 Ian Delaney (RETIRED) gentoo-dev 2012-02-29 11:03:00 UTC 
Created attachment 303711 [details, diff]
files/pastescript-1.7.5-usermod.patch

This has the second of the two files included.  The first relies on a hg clone import of the source which rather evades the issue of a current tarball based ebuild.  It merely adds .pyc to a file .hgignore which isn't critical to its reason d'etre.  The first is simply commented out the remainder contains the patch's source from bitbucket.

testuser@archtester ~ $ paster
Usage: /usr/bin/paster COMMAND
Usage: paster [paster_options] COMMAND [command_options]

Options:
  --version         show program's version number and exit
  --plugin=PLUGINS  Add a plugin to the list of commands (plugins are Egg
                    specs; will also require() the Egg)
  -h, --help        Show this help message

Commands:
  create       Create the file layout for a Python distribution
  help         Display help
  make-config  Install a package and create a fresh config file/directory
  points       Show information about entry points
  post         Run a request for the described application
  request      Run a request for the described application
  serve        Serve the described application
  setup-app    Setup an application, given a config file

proves it is working as user.  Looking good
Comment 2 Manuel RĂ¼ger (RETIRED) gentoo-dev 2015-06-13 08:52:56 UTC 
It is fixed in pastescript-2.0; current version is pastescript-2.0.2, which seems to add also python3 support, too.
Comment 3 Justin Lecher (RETIRED) gentoo-dev 2015-06-15 20:15:31 UTC 
*pastescript-2.0.2 (15 Jun 2015)
+
+  15 Jun 2015; Justin Lecher <jlec@gentoo.org> +pastescript-2.0.2.ebuild:
+  Version Bump; bug #405821; fixes CVE-2012-0878
+
Comment 4 Justin Lecher (RETIRED) gentoo-dev 2015-06-15 20:17:23 UTC 
@arches please stabilize

dev-python/paste-2.0.2
dev-python/pastescript-2.0.2
Comment 5 Yury German Gentoo Infrastructure gentoo-dev 2015-06-16 02:39:47 UTC 
ReCategorizing as B4
Comment 6 Agostino Sarubbo gentoo-dev 2015-06-16 07:19:02 UTC 
amd64 stable
Comment 7 Agostino Sarubbo gentoo-dev 2015-06-17 07:32:07 UTC 
x86 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 8 Justin Lecher (RETIRED) gentoo-dev 2015-06-17 07:47:03 UTC 
+  17 Jun 2015; Justin Lecher <jlec@gentoo.org> -pastescript-1.7.5-r2.ebuild:
+  Drop vulnerable version
+


Cleaned.
Comment 9 Justin Lecher (RETIRED) gentoo-dev 2015-06-17 07:47:55 UTC 
Just to clarify, only pastescript was vulnerable but paste was needed for the bump.
Comment 10 Yury German Gentoo Infrastructure gentoo-dev 2015-06-21 03:28:43 UTC 
Arches and Maintainer(s), Thank you for your work.

GLSA Vote: No
Comment 11 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2015-06-21 19:09:03 UTC 
GLSA vote: no.