Portage: Untrusted search path local root vulnerability

1. Gentoo Linux Security Advisory

Advisory Reference	GLSA 200810-02 / portage
Release Date	October 09, 2008
Latest Revision	October 09, 2008: 01
Impact	high
Exploitable	local

Package	Vulnerable versions	Unaffected versions	Architecture(s)
sys-apps/portage	< 2.1.4.5	>= 2.1.4.5	All supported architectures

Related bugreports: #239560

Synopsis

A search path vulnerability in Portage allows local attackers to execute commands with root privileges if emerge is called from untrusted directories.

2. Impact Information

Background

Portage is Gentoo's package manager which is responsible for installing, compiling and updating all packages on the system through the Gentoo rsync tree.

Description

The Gentoo Security Team discovered that several ebuilds, such as sys-apps/portage, net-mail/fetchmail or app-editors/leo execute Python code using "python -c", which includes the current working directory in Python's module search path. For several ebuild functions, Portage did not change the working directory from emerge's working directory.

Impact

A local attacker could place a specially crafted Python module in a directory (such as /tmp) and entice the root user to run commands such as "emerge sys-apps/portage" from that directory, resulting in the execution of arbitrary Python code with root privileges.

3. Resolution Information

Workaround

Do not run "emerge" from untrusted working directories.

Resolution

All Portage users should upgrade to the latest version:

Code Listing 3.1: Resolution

# cd /root
# emerge --sync
# emerge --ask --oneshot --verbose ">=sys-apps/portage-2.1.4.5"

NOTE: To upgrade to Portage 2.1.4.5 using 2.1.4.4 or prior, you must run emerge from a trusted working directory, such as "/root".

4. References

CVE-2008-4394

Page updated October 09, 2008

Summary: This is a Gentoo Linux Security Advisory

Security Team
Contact Address

Donate to support our development efforts.