Home / mailings [gentoo-announce] [ GLSA 200810-02 ] Portage: Untrusted search path local root vulnerability
Posted on 09 October 2008
Gentoo-announce--nextPart1544741.rJKouPTnrM
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 200810-02
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: High
Title: Portage: Untrusted search path local root vulnerability
Date: October 09, 2008
Bugs: #239560
ID: 200810-02
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
A search path vulnerability in Portage allows local attackers to
execute commands with root privileges if emerge is called from
untrusted directories.
Background
==========
Portage is Gentoo's package manager which is responsible for
installing, compiling and updating all packages on the system through
the Gentoo rsync tree.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 sys-apps/portage < 2.1.4.5 >= 2.1.4.5
Description
===========
The Gentoo Security Team discovered that several ebuilds, such as
sys-apps/portage, net-mail/fetchmail or app-editors/leo execute Python
code using "python -c", which includes the current working directory in
Python's module search path. For several ebuild functions, Portage did
not change the working directory from emerge's working directory.
Impact
======
A local attacker could place a specially crafted Python module in a
directory (such as /tmp) and entice the root user to run commands such
as "emerge sys-apps/portage" from that directory, resulting in the
execution of arbitrary Python code with root privileges.
Workaround
==========
Do not run "emerge" from untrusted working directories.
Resolution
==========
All Portage users should upgrade to the latest version:
# cd /root
# emerge --sync
# emerge --ask --oneshot --verbose ">=sys-apps/portage-2.1.4.5"
NOTE: To upgrade to Portage 2.1.4.5 using 2.1.4.4 or prior, you must
run emerge from a trusted working directory, such as "/root".
References
==========
[ 1 ] CVE-2008-4394
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4394
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-200810-02.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org.
License
=======
Copyright 2008 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
--nextPart1544741.rJKouPTnrM
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part.