python-updater: Untrusted search path

1. Gentoo Linux Security Advisory

Advisory Reference	GLSA 201009-08 / python-updater
Release Date	September 21, 2010
Latest Revision	September 21, 2010: 01
Impact	high
Exploitable	local

Package	Vulnerable versions	Unaffected versions	Architecture(s)
app-admin/python-updater	< 0.7-r1	>= 0.7-r1	All supported architectures

Related bugreports: #288361

Synopsis

An untrusted search path vulnerability in python-updater might result in the execution of arbitrary code.

2. Impact Information

Background

python-updater is a script used to remerge python packages when changing Python version.

Description

Robert Buchholz of the Gentoo Security Team reported that python-updater includes the current working directory and subdirectories in the Python module search path (sys.path) before calling "import".

Impact

A local attacker could entice the root user to run "python-updater" from a directory containing a specially crafted Python module, resulting in the execution of arbitrary code with root privileges.

3. Resolution Information

Workaround

Do not run "python-updater" from untrusted working directories.

Resolution

All python-updater users should upgrade to the latest version:

Code Listing 3.1: Resolution

# emerge --sync
# emerge --ask --oneshot --verbose ">=app-admin/python-updater-0.7-r1"

Page updated September 21, 2010

Summary: This is a Gentoo Linux Security Advisory

Security Team
Contact Address

Donate to support our development efforts.