Remote code execution due to cPickle deserialization of untrusted data CVE-2014-3699

[ghost]

Found in a past security audit, agreed with Tristan to make public and file issues here.

Please see https://bugzilla.redhat.com/show_bug.cgi?id=1152544

So in src/netdetect.py and src/health_protocol.py we send and receive pickled
data, no authentication, so anyone with network access == code execution

Code, snipped, basically:

src/netdetect.py

def start_sync_bench_server():
'''Server is made for receiving keepalives and manage them.'''
''' Let's bind a server to the Multicast group '''
''' Let's get keepalives from servers '''
answer = cPickle.loads(sock.recv(10240))

def start_discovery_server():
'''Server is made for receiving keepalives and manage them.'''
''' Let's bind a server to the Multicast group '''
''' Until we got a synthesis list from another server '''
while not synthesis:
answer = {}
''' Let's get keepalives from servers '''
answer = cPickle.loads(sock.recv(10240))

def start_client(mode, max_clients=0):
''' While we are in discovery mode, let's send keepalives '''
while discovery:
sys.stderr.write("Sending keepalive for %s\n" % my_mac_addr)
sock.sendto(cPickle.dumps(host_info), (MCAST_GRP, MCAST_PORT))

        sys.stderr.write("Sending Ready To Bench for %s\n" % my_mac_addr)
        sock.sendto(cPickle.dumps(host_info), (MCAST_GRP, MCAST_PORT))

    sys.stderr.write("Sending Go !\n")
    sock.sendto(cPickle.dumps(host_info), (MCAST_GRP, MCAST_PORT_GO))

def scrub_timestamp():
'''Scrubing deletes server that didn't sent keepalive on time.'''
sock.sendto(cPickle.dumps(server_list),
(MCAST_GRP, MCAST_PORT))

                sys.stderr.write("No remote system detected, exiting\n")
                sock.sendto(cPickle.dumps(message),
                            (MCAST_GRP, MCAST_PORT))
            ''' It's time to send the synthesis to the other nodes '''
            leader = True
            sock.sendto(cPickle.dumps(server_list),
                        (MCAST_GRP, MCAST_PORT))

def wait_for_go():
global ready_to_bench
''' Let's bind a server to the Multicast group '''
''' Let's get keepalives from servers '''
answer = cPickle.loads(sock.recv(10240))

src/health_protocol.py

def start_sync_bench_server():
'''Server is made for receiving keepalives and manage them.'''
''' Let's bind a server to the Multicast group '''
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM, socket.IPPROTO_UDP)
''' Let's get keepalives from servers '''
answer = cPickle.loads(sock.recv(10240))

def start_discovery_server():
'''Server is made for receiving keepalives and manage them.'''
''' Let's bind a server to the Multicast group '''
''' Until we got a synthesis list from another server '''
while not synthesis:
answer = {}
''' Let's get keepalives from servers '''
answer = cPickle.loads(sock.recv(10240))

def start_client(mode, max_clients=0):
'''Client is made for generating keepalives.'''
''' Let's prepare the socket '''
''' While we are in discovery mode, let's send keepalives '''
while discovery:
sys.stderr.write("Sending keepalive for %s\n" % my_mac_addr)
sock.sendto(cPickle.dumps(host_info), (MCAST_GRP, MCAST_PORT))

    while ready_to_bench:
        sys.stderr.write("Sending Ready To Bench for %s\n" % my_mac_addr)
        sock.sendto(cPickle.dumps(host_info), (MCAST_GRP, MCAST_PORT))

    sys.stderr.write("Sending Go !\n")
    sock.sendto(cPickle.dumps(host_info), (MCAST_GRP, MCAST_PORT_GO))

def scrub_timestamp():
'''Scrubing deletes server that didn't sent keepalive on time.'''
sock.sendto(cPickle.dumps(server_list),

                sys.stderr.write("No remote system detected, exiting\n")
                sock.sendto(cPickle.dumps(message),

            ''' It's time to send the synthesis to the other nodes '''
            leader = True
            sock.sendto(cPickle.dumps(server_list),

def wait_for_go():
global ready_to_bench
''' Let's bind a server to the Multicast group '''
''' Let's get keepalives from servers '''
answer = cPickle.loads(sock.recv(10240))