[resent] [ GLSA 200911-04 ] dstat: Untrusted search path

2009-11-2600:00:00

vulners.com

JSON

Due to an oversight on my part, the original email has not been signed.

Gentoo Linux Security Advisory GLSA 200911-04

                                        http://security.gentoo.org/

Severity: Normal
Title: dstat: Untrusted search path
Date: November 25, 2009
Bugs: #293497
ID: 200911-04

Synopsis

An untrusted search path vulnerability in the dstat might result in the
execution of arbitrary code.

Background

dstat is a versatile system resource monitor written in Python.

Affected packages

-------------------------------------------------------------------
 Package         /  Vulnerable  /                       Unaffected
-------------------------------------------------------------------

1 sys-apps/dstat < 0.6.9-r1 >= 0.6.9-r1

Description

Robert Buchholz of the Gentoo Security Team reported that dstat
includes the current working directory and subdirectories in the Python
module search path (sys.path) before calling "import".

Impact

A local attacker could entice a user to run "dstat" from a directory
containing a specially crafted Python module, resulting in the
execution of arbitrary code with the privileges of the user running the
application.

Workaround

Do not run "dstat" from untrusted working directories.

Resolution

All dstat users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose &quot;&gt;=sys-apps/dstat-0.6.9-r1&quot;

References

[ 1 ] CVE-2009-3894
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3894

Availability

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-200911-04.xml

Concerns?

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
[email protected] or alternatively, you may file a bug at
https://bugs.gentoo.org.