Ubuntu
cherrypy3 package

[CVE-2008-0252] Directory traversal vulnerability allows modification of arbitrary files

Bug #187481 reported by William Grant on 2008-01-31

266

Affects		Status	Importance	Assigned to	Milestone
	cherrypy3 (Ubuntu)	Fix Released	Undecided	Unassigned
	Edgy	Invalid	Undecided	Unassigned
	Feisty	Invalid	Undecided	Unassigned
	Gutsy	Fix Released	High	William Grant
	Hardy	Fix Released	Undecided	Unassigned
	python-cherrypy (Ubuntu)	Fix Released	High	Unassigned
	Edgy	Fix Released	High	William Grant
	Feisty	Fix Released	High	William Grant
	Gutsy	Fix Released	High	William Grant
	Hardy	Fix Released	High	Unassigned

Bug Description

Directory traversal vulnerability in the _get_file_path function in (1) lib/sessions.py in CherryPy 3.0.x up to 3.0.2, (2) filter/sessionfilter.py in CherryPy 2.1, and (3) filter/sessionfilter.py in CherryPy 2.x allows remote attackers to create or delete arbitrary files, and possibly read and write portions of arbitrary files, via a crafted session id in a cookie.

All python-cherrypy and cherrypy3 releases are affected, except for cherrypy3/hardy.

Related branches

lp:ubuntu/gutsy-security/cherrypy3

lp:ubuntu/edgy-security/python-cherrypy

lp:ubuntu/feisty-updates/python-cherrypy

lp:ubuntu/gutsy-updates/python-cherrypy

CVE References

2008-0252

Revision history for this message

William Grant (wgrant) wrote on 2008-01-31:

#1

2.0 (in Dapper) is very different, and doesn't seem vulnerable. cherrypy3 also doesn't exist in Edgy/Feisty. Thanks LP.

Changed in cherrypy3:
status:	New → Invalid
status:	New → Invalid
importance:	Undecided → High
status:	New → Triaged
status:	New → Fix Released
Changed in python-cherrypy:
importance:	Undecided → High
status:	New → Triaged
importance:	Undecided → High
status:	New → Triaged
importance:	Undecided → High
status:	New → Triaged
importance:	Undecided → High
status:	New → Triaged

Revision history for this message

William Grant (wgrant) wrote on 2008-01-31:

#2

python-cherrypy is fixed in Hardy as well, it seems.

Changed in python-cherrypy:
status:	Triaged → Fix Released

William Grant (wgrant) on 2008-03-09

Changed in cherrypy3:
assignee:	nobody → fujitsu
status:	Triaged → In Progress

Revision history for this message

William Grant (wgrant) wrote on 2008-03-09:

#3

gutsy cherrypy3 debdiff Edit (2.3 KiB, text/plain)

Revision history for this message

William Grant (wgrant) wrote on 2008-03-09:

#4

gutsy python-cherrypy debdiff Edit (1.6 KiB, text/plain)

Changed in python-cherrypy:
assignee:	nobody → fujitsu
status:	Triaged → In Progress
assignee:	nobody → fujitsu
status:	Triaged → In Progress
assignee:	nobody → fujitsu
status:	Triaged → In Progress

Revision history for this message

William Grant (wgrant) wrote on 2008-03-09:

#5

feisty python-cherrypy debdiff Edit (1.6 KiB, text/plain)

Revision history for this message

William Grant (wgrant) wrote on 2008-03-09:

#6

edgy python-cherrypy debdiff Edit (2.4 KiB, text/plain)

Revision history for this message

Kees Cook (kees) wrote on 2008-03-14:

#7

Thanks for the debdiffs! I've uploaded these and they should publish shortly.

Changed in cherrypy3:
status:	In Progress → Fix Committed
Changed in python-cherrypy:
status:	In Progress → Fix Committed
status:	In Progress → Fix Committed
status:	In Progress → Fix Committed

Revision history for this message

Launchpad Janitor (janitor) wrote on 2008-03-14:

#8

This bug was fixed in the package python-cherrypy - 2.2.1-3ubuntu1.7.10

---------------
python-cherrypy (2.2.1-3ubuntu1.7.10) gutsy-security; urgency=low

  * SECURITY UPDATE: directory traversal via session cookie ID.
    - debian/patches/10_CVE-2008-0252.diff: Add. Ensure that the path
      generated from the session ID is within the session directory. Patch
      from upstream SVN. (LP: #187481)
    - References:
      + CVE-2008-0252

-- William Grant <email address hidden> Sun, 09 Mar 2008 15:47:09 +1100

Revision history for this message

Launchpad Janitor (janitor) wrote on 2008-03-14:

#9

This bug was fixed in the package cherrypy3 - 3.0.2-1ubuntu0.1

---------------
cherrypy3 (3.0.2-1ubuntu0.1) gutsy-security; urgency=low

  * SECURITY UPDATE: directory traversal via session cookie ID.
    - debian/patches/10_CVE-2008-0252.diff: Add. Ensure that the path
      generated from the session ID is within the session directory. Patch
      from upstream SVN. (LP: #187481)
    - References:
      + CVE-2008-0252
  * Modify Maintainer value to match the DebianMaintainerField specification.

-- William Grant <email address hidden> Sun, 09 Mar 2008 15:31:25 +1100

Revision history for this message

Launchpad Janitor (janitor) wrote on 2008-03-14:

#10

This bug was fixed in the package python-cherrypy - 2.2.1-3ubuntu1.7.04

---------------
python-cherrypy (2.2.1-3ubuntu1.7.04) feisty-security; urgency=low

  * SECURITY UPDATE: directory traversal via session cookie ID.
    - debian/patches/10_CVE-2008-0252.diff: Add. Ensure that the path
      generated from the session ID is within the session directory. Patch
      from upstream SVN. (LP: #187481)
    - References:
      + CVE-2008-0252

-- William Grant <email address hidden> Sun, 09 Mar 2008 15:59:14 +1100

Changed in cherrypy3:
status:	Fix Committed → Fix Released
Changed in python-cherrypy:
status:	Fix Committed → Fix Released
status:	Fix Committed → Fix Released

William Grant (wgrant) on 2008-03-21

Changed in python-cherrypy:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public Security information

Everyone can see this security related information.

Duplicates of this bug

Bug #191198

You are

Subscribing...

Edit bug mail

Other bug subscribers

Patches

Add patch

Remote bug watches

Bug watches keep track of this bug in other bug trackers.