CVE-2012-0878

Advisory

Paste Script 1.7.5 and earlier does not properly set group memberships during execution with root privileges, which might allow remote attackers to bypass intended file-access restrictions by leveraging a web application that uses the local filesystem.

Affected package

Affected versions

Fixed versions

Vulnerability changelog

Paste Script 1.7.5 and earlier does not properly set group memberships during execution with root privileges, which might allow remote attackers to bypass intended file-access restrictions by leveraging a web application that uses the local filesystem.

Resources

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0878
• https://bugzilla.redhat.com/show_bug.cgi?id=796790
• http://groups.google.com/group/paste-users/browse_thread/thread/2aa651ba331c2471
• http://www.openwall.com/lists/oss-security/2012/02/23/1
• https://bitbucket.org/ianb/pastescript/changeset/a19e462769b4
• http://www.openwall.com/lists/oss-security/2012/02/23/4
• https://bitbucket.org/ianb/pastescript/pull-request/3/fix-group-permissions-for-pastescriptserve
• http://rhn.redhat.com/errata/RHSA-2012-1206.html
• http://secunia.com/advisories/48812
• http://secunia.com/advisories/50410