Bug 80094

Summary:	dev-lang/python CAN-2005-0089 (Vendor-Sec)
Product:	Gentoo Security	Reporter:	Sune Kloppenborg Jeppesen (RETIRED) <jaervosz>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED DUPLICATE
Severity:	normal
Priority:	High
Version:	unspecified
Hardware:	All
OS:	All
Whiteboard:	A2? [upstream] / CLASSIFIED 20050203
Package list:		Runtime testing required:	---

Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-01-30 09:27:27 UTC

The Python folks have discovered a flaw in SimpleXMLRPCServer that can
affect any XML-RPC servers.  This affects any programs have been written
that allow remote untrusted users to do unrestricted traversal and can 
allow them to access or change function internals using the im_* and 
func_* attributes.

Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-01-30 09:28:59 UTC

2.3.5 will be released soon to fix this problem.

Comment 2 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-01-30 22:24:28 UTC

The exploit only works when
register_instance() is called with an instance that does not implement
_dispatch(). XML-RPC servers that use register_function() instead of
register_instance() are not vulnerable. Unfortunately most XML-RPC
tutorials use register_instance() without pointing out the recursive
traversal feature.

Comment 3 Thierry Carrez (RETIRED) gentoo-dev

2005-02-03 02:59:00 UTC

Embargo until 1600 UTC today.
See advisory and patches @ http://www.python.org/security/PSF-2005-001/

Comment 4 Thierry Carrez (RETIRED) gentoo-dev

2005-02-03 08:45:47 UTC

Now public on bug 80592

*** This bug has been marked as a duplicate of 80592 ***