celery/docs/sec/CELERYSA-0002.txt

=========================================
 CELERYSA-0002: Celery Security Advisory
=========================================
:contact: security@celeryproject.org
:CVE id: TBA
:date: 2014-07-10 05:00:00 P.M UTC

Details
=======

:package: celery
:vulnerability: Environment error
:problem type: local
:risk: low
:versions-affected: 2.5, 3.0, 3.1

Description
===========

The built-in utility used to daemonize the Celery worker service sets
an insecure umask by default (umask 0).

This means that any files or directories created by the worker will
end up having world-writable permissions.

In practice this means that local users will be able to modify and possibly
corrupt the files created by user tasks.

This is not immediately exploitable but can be if those files are later
evaluated as a program, for example a task that creates Python program files
that are later executed.

Patches are now available for all maintained versions (see below),
and users are urged to upgrade, even if not directly
affected.

Acknowledgments
===============

Special thanks to Red Hat for originally discovering and reporting the issue.

Systems affected
================

Users of Celery versions 3.0, and 3.1, except the recently
released 3.1.13, are affected if daemonizing the
Celery programs using the `--detach` argument or using the `celery multi` program
to start workers in the background, without setting a custom `--umask`
argument.

Solution
========

NOTE:
    Not all users of Celery will use it to create files, but if you do
    then files may already have been created with insecure permissions.

    So after upgrading, or using the workaround, then please make sure
    that files already created are not world writable.

To work around the issue you can set a custom umask using the ``--umask``
argument:

    $ celery worker -l info --detach --umask=18   # (022)

Or you can upgrade to a more recent version:

- Users of the 3.1 series should upgrade to 3.1.13:

    * ``pip install -U celery``, or
    * ``easy_install -U celery``, or
    * http://pypi.python.org/pypi/celery/3.1.13

- Users of the 3.0 series should upgrade to 3.0.25:

    * ``pip install -U celery==3.0.25``, or
    * ``easy_install -U celery==3.0.25``, or
    * http://pypi.python.org/pypi/celery/3.0.25

Distribution package maintainers are urged to provide their users
with updated packages.

Please direct questions to the celery-users mailing-list:
http://groups.google.com/group/celery-users/,

or if you are planning to report a new security related issue we request that
you keep the information confidential by contacting
security@celeryproject.org instead.

Thank you!