300188 – (CVE-2009-4261) <app-emulation/ganeti-{1.2.9,2.0.5,2.1.0_rc2} Arbitrary Command Execution/Privilege Escalation (CVE-2009-4261)

Bug 300188 (CVE-2009-4261) - <app-emulation/ganeti-{1.2.9,2.0.5,2.1.0_rc2} Arbitrary Command Execution/Privilege Escalation (CVE-2009-4261)

Summary: <app-emulation/ganeti-{1.2.9,2.0.5,2.1.0_rc2} Arbitrary Command Execution/Pri...

Status:	RESOLVED FIXED

Alias:	CVE-2009-4261

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High trivial
Assignee:	Gentoo Security

URL:	http://groups.google.com/group/ganeti...
Whiteboard:	~1 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2010-01-08 17:14 UTC by Alex Legler (RETIRED)
Modified:	2011-01-10 12:32 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Alex Legler (RETIRED) archtester

2010-01-08 17:14:35 UTC

CVE-2009-4261 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4261):
  Multiple directory traversal vulnerabilities in the iallocator
  framework in Ganeti 1.2.4 through 1.2.8, 2.0.0 through 2.0.4, and
  2.1.0 before 2.1.0~rc2 allow (1) remote attackers to execute
  arbitrary programs via a crafted external script name supplied
  through the HTTP remote API (RAPI) and allow (2) local users to
  execute arbitrary programs and gain privileges via a crafted external
  script name supplied through a gnt-* command, related to "path
  sanitization errors."

Comment 1 Paweł Hajdan, Jr. (RETIRED) gentoo-dev

2011-01-10 12:32:35 UTC

No vulnerable version is in the tree, closing noglsa per http://www.gentoo.org/security/en/vulnerability-policy.xml (GLSA: no for ~1 vulnerabilties).