Summary: | <dev-util/catfish-1.0.2: insecure loading of python script (CVE-2014-{2093,2094,2095,2096}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | aambitny |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://bugzilla.redhat.com/show_bug.cgi?id=1069396 | ||
Whiteboard: | B4 [glsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 506042 | ||
Bug Blocks: | 495156, 518294 |
Description
Agostino Sarubbo
2014-02-26 13:43:20 UTC
CVE-2014-2096 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2096): Untrusted search path vulnerability in Catfish 0.6.0 through 1.0.0 allows local users to gain privileges via a Trojan horse bin/catfish.py under the current working directory. CVE-2014-2095 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2095): Untrusted search path vulnerability in Catfish 0.6.0 through 1.0.0, when a Fedora package such as 0.8.2-1 is not used, allows local users to gain privileges via a Trojan horse bin/catfish.pyc under the current working directory. CVE-2014-2094 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2094): Untrusted search path vulnerability in Catfish through 0.4.0.3, when a Fedora package such as 0.4.0.2-2 is not used, allows local users to gain privileges via a Trojan horse catfish.pyc in the current working directory. CVE-2014-2093 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2093): Untrusted search path vulnerability in Catfish through 0.4.0.3 allows local users to gain privileges via a Trojan horse catfish.py in the current working directory. ping In the meantime, =dev-util/catfish-1.0.2 has been released. Please update. https://launchpad.net/catfish-search *** Bug 518298 has been marked as a duplicate of this bug. *** From ChangeLog file of catfish-1.0.2 tarball: v1.0.1: + Fix CVE-2014-2093 CVE-2014-2094 CVE-2014-2095 CVE-2014-2096 - Debian #739958 - Fedora #1069396 + Fix multiple-selection regression (lp: #1283726) Please test and stabilize: =dev-util/catfish-1.0.2 (In reply to Samuli Suominen from comment #5) > Please test and stabilize: > > =dev-util/catfish-1.0.2 I'm gentoo newbie, so excuse me if following question is not relevant. To resolve dependency on pexpect for python 3.3 I had to use unstable pexpect (~amd64). So shouldn't this bug depend on Bug 506042 which is stabilization request for pexpect 3.0 compatible with python 3.3? (In reply to Paweł Stankowski from comment #6) > So shouldn't this bug depend on Bug 506042 which is stabilization request > for pexpect 3.0 compatible with python 3.3? sure, you are right amd64 stable x86 stable. Maintainer(s), please cleanup. Security, please vote. GLSA vote: yes Maintainer(s), please drop the vulnerable version. GLSA Vote: Yes Created a New GLSA request. cleanup done, unCCing desktop-misc@, nothing left for us here This issue was resolved and addressed in GLSA 201408-04 at http://security.gentoo.org/glsa/glsa-201408-04.xml by GLSA coordinator Mikle Kolyada (Zlogene). |