Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 293497 (CVE-2009-3894) - <sys-apps/dstat-0.6.9-r1 Untrusted Search Path (CVE-2009-{3894,4081})
Summary: <sys-apps/dstat-0.6.9-r1 Untrusted Search Path (CVE-2009-{3894,4081})
Alias: CVE-2009-3894
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: B2 [glsa]
Depends on:
Reported: 2009-11-17 12:37 UTC by Robert Buchholz (RETIRED)
Modified: 2009-11-30 18:57 UTC (History)
8 users (show)

See Also:
Package list:
Runtime testing required: ---

dstat-0.6.9-r1.ebuild (dstat-0.6.9-r1.ebuild,969 bytes, text/plain)
2009-11-17 13:11 UTC, Robert Buchholz (RETIRED)
no flags Details
dstat-0.6.9-cwd.patch (dstat-0.6.9-cwd.patch,673 bytes, patch)
2009-11-17 13:12 UTC, Robert Buchholz (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2009-11-17 12:37:52 UTC
** Please note that this issue is confidential and no information should be
disclosed until it is made public, see "Whiteboard" for a date **

dstat includes the current working directory and the "profile" 
subdirectory in the sys.path. This will lead to a compromise of an 
account (execution of arbitrary code) if a user runs "dstat" in a 
directory that is writable by an attacker (e.g. /tmp) and an attacker 
places certain Python modules in the directory (e.g.

I have investigated the dstat history and found that at least versions 
since SVN r3464 are vulnerable from this. Earlier, dstat determined the 
absolute path of the dstat executable and only added its dirname. 
However, versions before 3199 had today's logic of using '.' as the 
path to import.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2009-11-17 13:11:51 UTC
Created attachment 210507 [details]
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2009-11-17 13:12:08 UTC
Created attachment 210509 [details, diff]
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2009-11-17 13:12:42 UTC
Arch Security Liaisons, please test the attached ebuild and report it stable on this bug.
Target keywords : "amd64 hppa sparc x86"

CC'ing current Liaisons:
   amd64 : keytoaster, chainsaw
    hppa : jer
   sparc : armin76, tcunha
     x86 : fauli, maekke
Comment 4 Jeroen Roovers (RETIRED) gentoo-dev 2009-11-17 14:19:25 UTC
Comment 5 Tiago Cunha (RETIRED) gentoo-dev 2009-11-17 15:25:18 UTC
sparc ok
Comment 6 Christian Faulhammer (RETIRED) gentoo-dev 2009-11-18 10:39:42 UTC
x86 ok
Comment 7 Robert Buchholz (RETIRED) gentoo-dev 2009-11-25 12:32:44 UTC
I have been running on amd64 with the patch for a while as well. so amd64 stable.
Comment 8 Robert Buchholz (RETIRED) gentoo-dev 2009-11-25 15:07:03 UTC
0.7.0 is released and contains the fix:

0.6.9-r1 is committed. This bug is now public.
Comment 9 Robert Buchholz (RETIRED) gentoo-dev 2009-11-25 16:09:55 UTC
GLSA 200911-04
Comment 10 Robert Buchholz (RETIRED) gentoo-dev 2009-11-30 17:00:21 UTC
A second CVE identifier has been assigned to the "same" vulnerability in old versions. So we get:

CVE-2009-4081 : r???? <-> r3199
CVE-2009-3894 : r3464 <-> r8040
Comment 11 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-11-30 18:57:26 UTC
CVE-2009-3894 (
  Multiple untrusted search path vulnerabilities in dstat before 0.7.0
  allow local users to gain privileges via a Trojan horse Python module
  in (1) the current working directory or (2) a certain subdirectory of
  the current working directory.

CVE-2009-4081 (
  Untrusted search path vulnerability in dstat before r3199 allows
  local users to gain privileges via a Trojan horse Python module in
  the current working directory, a different vulnerability than