Gentoo Archives: gentoo-announce

From: Robert Buchholz <rbu@g.o>
To: gentoo-announce@l.g.o
Subject: [gentoo-announce] [ GLSA 200911-04 ] dstat: Untrusted search path
Date: Wed, 25 Nov 2009 16:18:30
Message-Id: 200911251612.21298.rbu@gentoo.org
1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 Gentoo Linux Security Advisory GLSA 200911-04
3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4 http://security.gentoo.org/
5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7 Severity: Normal
8 Title: dstat: Untrusted search path
9 Date: November 25, 2009
10 Bugs: #293497
11 ID: 200911-04
12
13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15 Synopsis
16 ========
17
18 An untrusted search path vulnerability in the dstat might result in the
19 execution of arbitrary code.
20
21 Background
22 ==========
23
24 dstat is a versatile system resource monitor written in Python.
25
26 Affected packages
27 =================
28
29 -------------------------------------------------------------------
30 Package / Vulnerable / Unaffected
31 -------------------------------------------------------------------
32 1 sys-apps/dstat < 0.6.9-r1 >= 0.6.9-r1
33
34 Description
35 ===========
36
37 Robert Buchholz of the Gentoo Security Team reported that dstat
38 includes the current working directory and subdirectories in the Python
39 module search path (sys.path) before calling "import".
40
41 Impact
42 ======
43
44 A local attacker could entice a user to run "dstat" from a directory
45 containing a specially crafted Python module, resulting in the
46 execution of arbitrary code with the privileges of the user running the
47 application.
48
49 Workaround
50 ==========
51
52 Do not run "dstat" from untrusted working directories.
53
54 Resolution
55 ==========
56
57 All dstat users should upgrade to the latest version:
58
59 # emerge --sync
60 # emerge --ask --oneshot --verbose ">=sys-apps/dstat-0.6.9-r1"
61
62 References
63 ==========
64
65 [ 1 ] CVE-2009-3894
66 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3894
67
68 Availability
69 ============
70
71 This GLSA and any updates to it are available for viewing at
72 the Gentoo Security Website:
73
74 http://security.gentoo.org/glsa/glsa-200911-04.xml
75
76 Concerns?
77 =========
78
79 Security is a primary focus of Gentoo Linux and ensuring the
80 confidentiality and security of our users machines is of utmost
81 importance to us. Any security concerns should be addressed to
82 security@g.o or alternatively, you may file a bug at
83 https://bugs.gentoo.org.
84
85 License
86 =======
87
88 Copyright 2009 Gentoo Foundation, Inc; referenced text
89 belongs to its owner(s).
90
91 The contents of this document are licensed under the
92 Creative Commons - Attribution / Share Alike license.
93
94 http://creativecommons.org/licenses/by-sa/2.5

Attachments

File name MIME type
signature.asc application/pgp-signature