oss-sec mailing list archives

CVE Request -- python-celery / Celery v2.4 -- Privilege escalation due improper sanitization of --uid and --gid arguments in certain tools (CELERYSA-0001

From: Jan Lieskovsky <jlieskov () redhat com>
Date: Mon, 28 Nov 2011 10:09:01 +0100

Hello Kurt, Steve, vendors,

  a privilege escalation flaw was found in the way 'celeryd-multi',
'celeryd_detach', 'celerybeat' and 'celeryev' tools of the Celery,
an asynchronous task queue based on distributed message passing,
performed sanitization of --uid and --gid arguments, provided to
the tools on the command line (only effective user id was changed,
with the real one remaining unchanged). A local attacker could use
this flaw to send messages via the message broker or use the Pickle
serializer to load and execute arbitrary code with elevated privileges.

References:
[1] http://www.celeryproject.org/news/celery-24-released/
[2] http://docs.celeryproject.org/en/latest/changelog.html#version-2-4-4
[3] https://github.com/ask/celery/blob/master/docs/sec/CELERYSA-0001.txt
[4] https://github.com/ask/celery/pull/544

Relevant upstream patch:

[5]https://github.com/gadomski/celery/commit/2afc0ea2ea22bce25013c9867f89e41a48b9251b


Could you allocate a CVE id for this issue?

Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

Current thread:

CVE Request -- python-celery / Celery v2.4 -- Privilege escalation due improper sanitization of --uid and --gid arguments in certain tools (CELERYSA-0001 Jan Lieskovsky (Nov 28)
- Re: CVE Request -- python-celery / Celery v2.4 -- Privilege escalation due improper sanitization of --uid and --gid arguments in certain tools (CELERYSA-0001 Kurt Seifried (Nov 28)