From: Robert Buchholz <rbu@gentoo.org.>
To: gentoo-announce@gentoo.org
Subject: [ GLSA 200810-02 ] Portage: Untrusted search path local root vulnerability
Date: Thu, 9 Oct 2008 19:36:48 +0200
User-Agent: KMail/1.9.9
Cc: bugtraq@securityfocus.com, full-disclosure@lists.grok.org.uk,
security-alerts@linuxsecurity.com
MIME-Version: 1.0
Content-Type: multipart/signed;
boundary="nextPart1544741.rJKouPTnrM";
protocol="application/pgp-signature";
micalg=pgp-sha1
Content-Transfer-Encoding: 7bit
Message-Id: <200810091936.54735.rbu@gentoo.org.>
X-Virus-Scanned: antivirus-gw at tyumen.ru
--nextPart1544741.rJKouPTnrM
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 200810-02
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: High
Title: Portage: Untrusted search path local root vulnerability
Date: October 09, 2008
Bugs: #239560
ID: 200810-02
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
A search path vulnerability in Portage allows local attackers to
execute commands with root privileges if emerge is called from
untrusted directories.
Background
==========
Portage is Gentoo's package manager which is responsible for
installing, compiling and updating all packages on the system through
the Gentoo rsync tree.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 sys-apps/portage < 2.1.4.5 >= 2.1.4.5
Description
===========
The Gentoo Security Team discovered that several ebuilds, such as
sys-apps/portage, net-mail/fetchmail or app-editors/leo execute Python
code using "python -c", which includes the current working directory in
Python's module search path. For several ebuild functions, Portage did
not change the working directory from emerge's working directory.
Impact
======
A local attacker could place a specially crafted Python module in a
directory (such as /tmp) and entice the root user to run commands such
as "emerge sys-apps/portage" from that directory, resulting in the
execution of arbitrary Python code with root privileges.
Workaround
==========
Do not run "emerge" from untrusted working directories.
Resolution
==========
All Portage users should upgrade to the latest version:
# cd /root
# emerge --sync
# emerge --ask --oneshot --verbose ">=sys-apps/portage-2.1.4.5"
NOTE: To upgrade to Portage 2.1.4.5 using 2.1.4.4 or prior, you must
run emerge from a trusted working directory, such as "/root".
References
==========
[ 1 ] CVE-2008-4394
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4394
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-200810-02.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org.
License
=======
Copyright 2008 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
--nextPart1544741.rJKouPTnrM
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
iQIcBAABAgAGBQJI7kE2AAoJECaaHo/OfoM59O8P/Ri1VIlxASPpkpQderVAUnT0
7r83vbejEFZjpu5KPIeNRJF+twolWrv50491/n71QcS4kxXLpmjmk9HPgy6UVQ89
sVoApXSCUC1ddWrqnBKjaYCsQNnYdfW10dFlymQ0zqwbQJKnOkUo4l2iFr7lPWXC
E2hCWTqisDb++1J2URV5OB2B5MBUgBZP2nrCiRI9sivwWDL9//yLzRn+CCV6qKhz
Sqz6GzqcJyGnKogDC0F2tTiH7211fpKE3fZ5hwfH5JG76xD//RZ3F1lBLyviJ0c3
3hzlnFliAX4qfcyTwU6+iwgU+1KjJsxm0BoNgKnRnpUf/sbvK//+qESLHttBAY//
FAAWay35FAXUOpAIcGGdhWtTwsm0WP+EG8nucApezuPL6VvrQVBn7uUM/NwMHAfN
LSwOyxWmFPw/glBoTIiMH6ktrAFkMOLKHGJMjEE8C7lt1B5TKui9joxlGOub+mMQ
nLH6wx2OCGrrWPbtGiBPCul6C/jczKYzy2Xb/ITYRqCpcjiYyVspUaFlsnrJR1+q
tVvkxUH2vO10H1Y9thMpmkBhQiR+vdstKqBkAsucegpmhWh7X6niAPbh96EjY19O
csBHRhaDg1y6d+IGTIUDeyQ/hVWmHfaaI+Q77PirOKsy2NwnXIbZ4j5wS8aWJ3R3
E7i3nCy8K5WOeW66LbDM
=vdYJ
-----END PGP SIGNATURE-----
--nextPart1544741.rJKouPTnrM--
