358663 – (CVE-2010-3492) <dev-lang/python-2.7.1-r1: Multiple vulnerabilities (CVE-2010-3492,CVE-2011-1015)

Bug 358663 (CVE-2010-3492) - <dev-lang/python-2.7.1-r1: Multiple vulnerabilities (CVE-2010-3492,CVE-2011-1015)

Summary: <dev-lang/python-2.7.1-r1: Multiple vulnerabilities (CVE-2010-3492,CVE-2011-1...

Status:	RESOLVED FIXED

Alias:	CVE-2010-3492

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:	http://secunia.com/advisories/43463/
Whiteboard:	A3 [glsa]
Keywords:

Depends on:	358717
Blocks:
	Show dependency tree

Reported:	2011-03-13 09:10 UTC by Paweł Hajdan, Jr. (RETIRED)
Modified:	2014-01-06 21:28 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Paweł Hajdan, Jr. (RETIRED) gentoo-dev

2011-03-13 09:10:16 UTC

A vulnerability has been discovered in Python, which can be exploited by malicious people to disclose sensitive information.

The vulnerability is caused due to the "CGIHTTPServer" module incorrectly handling HTTP requests to scripts in the "cgi-bin" directory without e.g. "/" at the beginning of the URI. This can be exploited to retrieve the source code of CGI scripts by sending specially crafted requests to the server.

The vulnerability is confirmed in version 2.6.6. Other versions may also be affected.

Solution
Fixed in the SVN repository and version 2.7 and later.

Provided and/or discovered by
Reported by m.sucajtys in a Python bug.

Original Advisory
Python Bug 2254:
http://bugs.python.org/issue2254

http://secunia.com/advisories/43463/

Comment 1 Paweł Hajdan, Jr. (RETIRED) gentoo-dev

2011-03-13 09:12:10 UTC

Python maintainers, is it OK to stabilize python-2.7.1-r1? Or would you prefer to backport the patch?

Comment 2 Arfrever Frehtes Taifersar Arahesis (RETIRED) gentoo-dev

2011-03-13 15:25:34 UTC

The change is incompatible, so it cannot be backported. dev-lang/python-2.7.1-r1 will be stabilized in bug #358717.

Comment 3 Arfrever Frehtes Taifersar Arahesis (RETIRED) gentoo-dev

2011-03-13 15:40:14 UTC

By the way, Python 2.7.1 fixes a bug, which isn't a security vulnerability, but received CVE-2010-3492.
http://bugs.python.org/issue6706
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3492

Comment 4 Arfrever Frehtes Taifersar Arahesis (RETIRED) gentoo-dev

2011-06-05 22:47:10 UTC

Stabilization has been finished.

Comment 5 Tim Sammut (RETIRED) gentoo-dev

2011-06-06 01:56:17 UTC

Arfrever, please do not change the status whiteboard. Thank you. Thanks too for the pointer on CVE-2010-3492.

Rerating as A3 for CVE-2010-3492 which the NVD lists as AV:N/AC:L/Au:N/C:N/I:N/A:P. Added to existing GLSA request.

Comment 6 GLSAMaker/CVETool Bot gentoo-dev

2011-06-24 00:17:51 UTC

CVE-2010-3492 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3492):
  The asyncore module in Python before 3.2 does not properly handle
  unsuccessful calls to the accept function, and does not have accompanying
  documentation describing how daemon applications should handle unsuccessful
  calls to the accept function, which makes it easier for remote attackers to
  conduct denial of service attacks that terminate these applications via
  network connections.

Comment 7 GLSAMaker/CVETool Bot gentoo-dev

2011-06-24 20:03:49 UTC

CVE-2011-1015 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1015):
  The is_cgi method in CGIHTTPServer.py in the CGIHTTPServer module in Python
  2.5, 2.6, and 3.0 allows remote attackers to read script source code via an
  HTTP GET request that lacks a / (slash) character at the beginning of the
  URI.

Comment 8 GLSAMaker/CVETool Bot gentoo-dev

2014-01-06 21:28:01 UTC

This issue was resolved and addressed in
 GLSA 201401-04 at http://security.gentoo.org/glsa/glsa-201401-04.xml
by GLSA coordinator Sergey Popov (pinkbyte).