oss-sec mailing list archives
CVE-2011-2520: flaw in system-config-firewall's usage of pickle allows privilege escalation
From: Vincent Danen <vdanen () redhat com>
Date: Mon, 18 Jul 2011 11:36:39 -0600
Hi folks. I'm not sure if anyone else uses system-config-firewall and system-config-printer, but we had a report of a privilege escalation flaw that could allow a user with access to run these commands to elevate their privileges due to insecure use of the python pickle module. The solution is to use JSON rather than pickle. The details and a patch for CVE-2011-2520 are available in our bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-2520 Thanks. --Vincent Danen / Red Hat Security Response Team
Current thread:
- CVE-2011-2520: flaw in system-config-firewall's usage of pickle allows privilege escalation Vincent Danen (Jul 18)