Re: CVE request: mod_wsgi group privilege dropping [was Re: [oss-security] Security release for mod_wsgi (version 3.5)]

[cve-assign () mitre org]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> https://github.com/GrahamDumpleton/mod_wsgi/commit/545354a80b9cc20d8b6916ca30542eab36c3b8bd

> When there is any sort of error in setting up daemon process group,
> kill the process rather than risk running in an unexpected state.

Use CVE-2014-8583.


> https://github.com/GrahamDumpleton/mod_wsgi/commit/a8ac5027f1a887cd41e80616b8a80a442a7e0bc7

> Fix one off error when checking limit on the number of supplementary
> groups for the daemon process group.

This doesn't seem to cross privilege boundaries; there's no way for
untrusted users to specify the supplementary groups.

Incidentally, when there's a statement such as "I am not familiar
enough to know whether any privilege boundaries are crossed here, or
if a user can influence anything" in a CVE request message, it's
probably useful to be even more explicit about what parts of the
message that statement applies to.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJUWKvqAAoJEKllVAevmvmsziQH/RNG4k2x6qRK4bvS2TU4AQj+
GkRIIvHxIV3TOnkPiP1B+c46LetJBz5H1wGU8MVGMVdLgddEJGzA8CNzY/qycQRo
wdUNpuO73gnqbpjsOVKnY1NWK0efnmBF0ZKUdGksJBzmuAmxMPF+VrTPbcK82dce
biwnD/wFdbNQM5FSBmQuhZTM85s3EmatxY+hp84FtLhB2IC/k2/6dki21dAOIdjq
HYEMktmitpDq5fpWJoi9Xs7iXMiTwBzXlVJu2Q09fVR1AdUjbsIYn7xG+jVVji4b
SrSiTThI1HvKHgbnYr5OjoMQe1ksRL3H1QRwgpXT8nlmsX+eyi9Ea6wa4Em+IXY=
=T37i
-----END PGP SIGNATURE-----