Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 80094

Summary: dev-lang/python CAN-2005-0089 (Vendor-Sec)
Product: Gentoo Security Reporter: Sune Kloppenborg Jeppesen (RETIRED) <jaervosz>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: normal    
Priority: High    
Version: unspecified   
Hardware: All   
OS: All   
Whiteboard: A2? [upstream] / CLASSIFIED 20050203
Package list:
Runtime testing required: ---

Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-01-30 09:27:27 UTC
The Python folks have discovered a flaw in SimpleXMLRPCServer that can
affect any XML-RPC servers.  This affects any programs have been written
that allow remote untrusted users to do unrestricted traversal and can 
allow them to access or change function internals using the im_* and 
func_* attributes.
Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-01-30 09:28:59 UTC
2.3.5 will be released soon to fix this problem.
Comment 2 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-01-30 22:24:28 UTC
The exploit only works when
register_instance() is called with an instance that does not implement
_dispatch(). XML-RPC servers that use register_function() instead of
register_instance() are not vulnerable. Unfortunately most XML-RPC
tutorials use register_instance() without pointing out the recursive
traversal feature.
Comment 3 Thierry Carrez (RETIRED) gentoo-dev 2005-02-03 02:59:00 UTC
Embargo until 1600 UTC today.
See advisory and patches @
Comment 4 Thierry Carrez (RETIRED) gentoo-dev 2005-02-03 08:45:47 UTC
Now public on bug 80592

*** This bug has been marked as a duplicate of 80592 ***