Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 80592

Summary: dev-lang/python SimpleXMLRPCServer remote access vulnerability
Product: Gentoo Security Reporter: Rob Cakebread (RETIRED) <pythonhead>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: jaervosz, python, soulse
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.python.org/security/PSF-2005-001/
Whiteboard: B1 [glsa] koon
Package list:
Runtime testing required: ---

Description Rob Cakebread (RETIRED) gentoo-dev 2005-02-03 08:24:33 UTC
Versions:     2.2 all versions, 2.3 prior to 2.3.5, 2.4
CVE Names:    CAN-2005-0089

The Python development team has discovered a flaw in the SimpleXMLRPCServer library module which can give remote attackers access to internals of the registered object or its module or possibly other modules. The flaw only affects Python XML-RPC servers that use the register_instance() method to register an object without a _dispatch() method. Servers using only register_function() are not affected.

http://www.python.org/security/PSF-2005-001/

Reproducible: Always
Steps to Reproduce:
1.
2.
3.
Comment 1 Thierry Carrez (RETIRED) gentoo-dev 2005-02-03 08:45:01 UTC
Python team: please bump and/or apply patches...
Comment 2 Thierry Carrez (RETIRED) gentoo-dev 2005-02-03 08:45:48 UTC
*** Bug 80094 has been marked as a duplicate of this bug. ***
Comment 3 Rob Cakebread (RETIRED) gentoo-dev 2005-02-06 20:31:03 UTC
I've patched and bumped all affected versions in CVS. I beleive you can close this now.
Comment 4 Thierry Carrez (RETIRED) gentoo-dev 2005-02-07 00:31:24 UTC
No stable marking needed as keywords were conserved by maintainer.

Ready for GLSA, fixed versions seem to be :
 *>=2.2.3-r6
 *>=2.3.3-r2
  >=2.3.4-r1
Comment 5 Thierry Carrez (RETIRED) gentoo-dev 2005-02-08 11:36:35 UTC
GLSA drafted
Comment 6 Thierry Carrez (RETIRED) gentoo-dev 2005-02-08 11:39:48 UTC
*** Bug 80597 has been marked as a duplicate of this bug. ***
Comment 7 Thierry Carrez (RETIRED) gentoo-dev 2005-02-08 13:34:52 UTC
GLSA 200502-09