Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 300188 (CVE-2009-4261)

Summary: <app-emulation/ganeti-{1.2.9,2.0.5,2.1.0_rc2} Arbitrary Command Execution/Privilege Escalation (CVE-2009-4261)
Product: Gentoo Security Reporter: Alex Legler (RETIRED) <a3li>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: trivial CC: ramereth
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://groups.google.com/group/ganeti/browse_thread/thread/cbce23d89103a8d2
Whiteboard: ~1 [noglsa]
Package list:
Runtime testing required: ---

Description Alex Legler (RETIRED) archtester gentoo-dev Security 2010-01-08 17:14:35 UTC 
CVE-2009-4261 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4261):
  Multiple directory traversal vulnerabilities in the iallocator
  framework in Ganeti 1.2.4 through 1.2.8, 2.0.0 through 2.0.4, and
  2.1.0 before 2.1.0~rc2 allow (1) remote attackers to execute
  arbitrary programs via a crafted external script name supplied
  through the HTTP remote API (RAPI) and allow (2) local users to
  execute arbitrary programs and gain privileges via a crafted external
  script name supplied through a gnt-* command, related to "path
  sanitization errors."
Comment 1 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-01-10 12:32:35 UTC 
No vulnerable version is in the tree, closing noglsa per http://www.gentoo.org/security/en/vulnerability-policy.xml (GLSA: no for ~1 vulnerabilties).