Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 80109

Summary: dev-python/mod_python CAN-2005-0088 XML flaw
Product: Gentoo Security Reporter: Sune Kloppenborg Jeppesen (RETIRED) <jaervosz>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: davin, pquerna, python
Priority: High    
Version: unspecified   
Hardware: All   
OS: All   
URL: http://archives.neohapsis.com/archives/fulldisclosure/2005-02/0168.html
Whiteboard: A4? [glsaupdate] jaervosz
Package list:
Runtime testing required: ---
Attachments:
Description Flags
publisher.diff
none
publisher-2.diff
none
mod_python-3.1.3.ebuild none

Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-01-30 11:02:38 UTC 
Graham Dumpleton discovered a flaw which can affect anyone using the
publisher handle of the Apache Software Foundation mod_python.  The
publisher handle lets you publish objects inside modules to make them
callable via URL.  The flaw allows a carefully crafted URL to obtain extra
information that should not be visible (information leak).

Although this flaw is similar in nature to the Python issue bug #80094,
it has a lesser impact.
        The fix (tennatively) is this patch to the publisher.py file. As a 
        super-quick hack perhaps dissalowing access to anything that contains 
        "func_" in the apache config may be the way to go.

--- publisher.py.orig   Fri Jan 28 10:26:34 2005
+++ publisher.py        Fri Jan 28 10:33:22 2005
@@ -260,15 +260,31 @@
      (period) to find the last one we're looking for.
      """

-    for obj_str in  object_str.split('.'):
+    parts = object_str.split('.')
+
+    for n range(len(parts)):
+
          obj = getattr(obj, obj_str)
+        obj_type = type(obj)

-        # object cannot be a module
-        if type(obj) == ModuleType:
+        # object cannot be a module or a class
+        if obj_type in [ClassType, ModuleType]:
              raise apache.SERVER_RETURN, apache.HTTP_NOT_FOUND

-        realm, user, passwd = process_auth(req, obj, realm,
-                                           user, passwd)
+        if n < (len(parts)-1):
+
+            # all but the last object ...
+
+            # ...must be instance
+            if obj_type != InstanceType:
+                raise apache.SERVER_RETURN, apache.HTTP_NOT_FOUND
+
+            # ...can't be callable
+            if callable(obj):
+                raise apache.SERVER_RETURN, apache.HTTP_NOT_FOUND
+
+            realm, user, passwd = process_auth(req, obj, realm,
+                                               user, passwd)

      return obj
Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-01-30 11:03:49 UTC 
POC given but not oncluded on this bug.
Comment 2 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-01-30 22:28:58 UTC 
Created attachment 50028 [details, diff]
publisher.diff

Updated patch.
Comment 3 Thierry Carrez (RETIRED) gentoo-dev 2005-02-09 02:44:56 UTC 
Created attachment 50803 [details, diff]
publisher-2.diff

Better patch
Comment 4 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-02-11 02:49:53 UTC 
This is public now. Python please provide an updated ebuild.
Comment 5 Rob Cakebread (RETIRED) gentoo-dev 2005-02-11 09:25:19 UTC 
Created attachment 51011 [details]
mod_python-3.1.3.ebuild
Comment 6 Rob Cakebread (RETIRED) gentoo-dev 2005-02-11 11:46:35 UTC 
Patched 3.1.3 and bumped it to 3.1.3-r1, added both to CVS
Comment 7 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-02-11 12:00:47 UTC 
This one is ready for GLSA.
Comment 8 Elfyn McBratney (beu) (RETIRED) gentoo-dev 2005-02-13 00:04:36 UTC 

*** This bug has been marked as a duplicate of 81827 ***
Comment 9 Elfyn McBratney (beu) (RETIRED) gentoo-dev 2005-02-13 00:09:45 UTC 
Re-opening - again, so so sorry people. :/
Comment 10 Michael Stewart (vericgar) (RETIRED) gentoo-dev 2005-02-13 00:15:49 UTC 
*** Bug 81827 has been marked as a duplicate of this bug. ***
Comment 11 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-02-13 02:17:47 UTC 
GLSA 200502-14
Comment 12 Matthias Geerdsen (RETIRED) gentoo-dev 2005-02-23 08:33:58 UTC 
*** Bug 83074 has been marked as a duplicate of this bug. ***
Comment 13 Stefan Cornelius (RETIRED) gentoo-dev 2005-12-07 06:50:46 UTC 
Reopening after a 3/4 year ...
Someone please mark mod_python-2.7.11 stable on x86 as it suffers the same
vulnerability and all apache1 users need this one to be secure. We might have to
update the glsa later, not sure atm.
Comment 14 Bryan Østergaard (RETIRED) gentoo-dev 2005-12-10 15:44:16 UTC 
Stabled 2.7.11 on x86.
Comment 15 Thierry Carrez (RETIRED) gentoo-dev 2005-12-11 10:02:26 UTC 
I think this one needs a GLSA update
Comment 16 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-12-12 22:31:46 UTC 
Updated i GLSAmaker, awaiting review.
Comment 17 Thierry Carrez (RETIRED) gentoo-dev 2005-12-13 05:53:38 UTC 
Looks OK except Resolution should read :

# emerge --sync
# emerge --ask --oneshot --verbose dev-python/mod_python
Comment 18 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-12-13 06:47:26 UTC 
Fixed in GLSAmaker without version bump.
Comment 19 Thierry Carrez (RETIRED) gentoo-dev 2005-12-13 09:41:58 UTC 
OK for me, clear to go.
Comment 20 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-12-13 11:36:53 UTC 
Committed. 
 
Thx Stefan.