Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 293497 (CVE-2009-3894)

Summary: <sys-apps/dstat-0.6.9-r1 Untrusted Search Path (CVE-2009-{3894,4081})
Product: Gentoo Security Reporter: Robert Buchholz (RETIRED) <rbu>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: armin76, chainsaw, fauli, jer, keytoaster, maekke, swegener, tcunha
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B2 [glsa]
Package list:
Runtime testing required: ---
Attachments:
Description Flags
dstat-0.6.9-r1.ebuild
none
dstat-0.6.9-cwd.patch none

Description Robert Buchholz (RETIRED) gentoo-dev 2009-11-17 12:37:52 UTC
** Please note that this issue is confidential and no information should be
disclosed until it is made public, see "Whiteboard" for a date **

dstat includes the current working directory and the "profile" 
subdirectory in the sys.path. This will lead to a compromise of an 
account (execution of arbitrary code) if a user runs "dstat" in a 
directory that is writable by an attacker (e.g. /tmp) and an attacker 
places certain Python modules in the directory (e.g. getopt.py).

I have investigated the dstat history and found that at least versions 
since SVN r3464 are vulnerable from this. Earlier, dstat determined the 
absolute path of the dstat executable and only added its dirname. 
However, versions before 3199 had today's logic of using '.' as the 
path to import.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2009-11-17 13:11:51 UTC
Created attachment 210507 [details]
dstat-0.6.9-r1.ebuild
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2009-11-17 13:12:08 UTC
Created attachment 210509 [details, diff]
dstat-0.6.9-cwd.patch
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2009-11-17 13:12:42 UTC
Arch Security Liaisons, please test the attached ebuild and report it stable on this bug.
Target keywords : "amd64 hppa sparc x86"

CC'ing current Liaisons:
   amd64 : keytoaster, chainsaw
    hppa : jer
   sparc : armin76, tcunha
     x86 : fauli, maekke
Comment 4 Jeroen Roovers (RETIRED) gentoo-dev 2009-11-17 14:19:25 UTC
HPPA is OK.
Comment 5 Tiago Cunha (RETIRED) gentoo-dev 2009-11-17 15:25:18 UTC
sparc ok
Comment 6 Christian Faulhammer (RETIRED) gentoo-dev 2009-11-18 10:39:42 UTC
x86 ok
Comment 7 Robert Buchholz (RETIRED) gentoo-dev 2009-11-25 12:32:44 UTC
I have been running on amd64 with the patch for a while as well. so amd64 stable.
Comment 8 Robert Buchholz (RETIRED) gentoo-dev 2009-11-25 15:07:03 UTC
0.7.0 is released and contains the fix:
http://dag.wieers.com/home-made/dstat/#download

0.6.9-r1 is committed. This bug is now public.
Comment 9 Robert Buchholz (RETIRED) gentoo-dev 2009-11-25 16:09:55 UTC
GLSA 200911-04
Comment 10 Robert Buchholz (RETIRED) gentoo-dev 2009-11-30 17:00:21 UTC
A second CVE identifier has been assigned to the "same" vulnerability in old versions. So we get:

CVE-2009-4081 : r???? <-> r3199
CVE-2009-3894 : r3464 <-> r8040
Comment 11 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-11-30 18:57:26 UTC
CVE-2009-3894 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3894):
  Multiple untrusted search path vulnerabilities in dstat before 0.7.0
  allow local users to gain privileges via a Trojan horse Python module
  in (1) the current working directory or (2) a certain subdirectory of
  the current working directory.

CVE-2009-4081 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4081):
  Untrusted search path vulnerability in dstat before r3199 allows
  local users to gain privileges via a Trojan horse Python module in
  the current working directory, a different vulnerability than
  CVE-2009-3894.