BugTraq
[ GLSA 201009-08 ] python-updater: Untrusted search path Sep 21 2010 09:42PM
Stefan Behte (craig gentoo org)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201009-08
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: High
Title: python-updater: Untrusted search path
Date: September 21, 2010
Bugs: #288361
ID: 201009-08

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

An untrusted search path vulnerability in python-updater might result
in the execution of arbitrary code.

Background
==========

python-updater is a script used to remerge python packages when
changing Python version.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 app-admin/python-updater < 0.7-r1 >= 0.7-r1

Description
===========

Robert Buchholz of the Gentoo Security Team reported that
python-updater includes the current working directory and
subdirectories in the Python module search path (sys.path) before
calling "import".

Impact
======

A local attacker could entice the root user to run "python-updater"
from a directory containing a specially crafted Python module,
resulting in the execution of arbitrary code with root privileges.

Workaround
==========

Do not run "python-updater" from untrusted working directories.

Resolution
==========

All python-updater users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=app-admin/python-updater-0.7-r1"

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-201009-08.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security (at) gentoo (dot) org [email concealed] or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2010 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkyZJuIACgkQuiczp+KMe7SfoACeP3Tb5NHGYRxVk5W3h6aPp7Ku
xb4An3iwodMSf3d7q7WKvaPxJn5dGqXQ
=07md
-----END PGP SIGNATURE-----

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus