Sicherheit: Ausführen beliebiger Kommandos in xchat

Lesezeichen hinzufügen

This is a multi-part message in MIME format...

------------=_1235777232-6173-1747

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2009:059
http://www.mandriva.com/security/
_______________________________________________________________________

Package : xchat
Date : February 27, 2009
Affected: 2008.1, 2009.0, Corporate 3.0
_______________________________________________________________________

Problem Description:

Python has a variable called sys.path that contains all paths where
Python loads modules by using import scripting procedure. A wrong
handling of that variable enables local attackers to execute arbitrary
code via Python scripting in the current X-Chat working directory
(CVE-2009-0315).

This update provides fix for that vulnerability.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0315
_______________________________________________________________________

Updated Packages:

Mandriva Linux 2008.1:
b61f511361954ad962c54de28a51e15a
2008.1/i586/xchat-2.8.4-6.1mdv2008.1.i586.rpm
8607626ba499f3345ec806325f55bbd4
2008.1/i586/xchat-devel-2.8.4-6.1mdv2008.1.i586.rpm
67b22314de3df627a14a71b469f2b10d
2008.1/i586/xchat-perl-2.8.4-6.1mdv2008.1.i586.rpm
1b3c1cb6ce2f83537f0534f6e279acfc
2008.1/i586/xchat-python-2.8.4-6.1mdv2008.1.i586.rpm
a245847b5707ba85f12699602d42eacd
2008.1/i586/xchat-tcl-2.8.4-6.1mdv2008.1.i586.rpm
9d5d33acc236f57b12cafcbf4672a896
2008.1/SRPMS/xchat-2.8.4-6.1mdv2008.1.src.rpm

Mandriva Linux 2008.1/X86_64:
1807d4b111e4fb849d5641eec16cfe27
2008.1/x86_64/xchat-2.8.4-6.1mdv2008.1.x86_64.rpm
620f56924126d0cdc08b977b1e1de4fa
2008.1/x86_64/xchat-devel-2.8.4-6.1mdv2008.1.x86_64.rpm
003612de54c053a4de324a3a10c05085
2008.1/x86_64/xchat-perl-2.8.4-6.1mdv2008.1.x86_64.rpm
5f1f4477ebd7f7470f15a00a85a12531
2008.1/x86_64/xchat-python-2.8.4-6.1mdv2008.1.x86_64.rpm
ecf4fd9573420c0c7d7894ddd0de0796
2008.1/x86_64/xchat-tcl-2.8.4-6.1mdv2008.1.x86_64.rpm
9d5d33acc236f57b12cafcbf4672a896
2008.1/SRPMS/xchat-2.8.4-6.1mdv2008.1.src.rpm

Mandriva Linux 2009.0:
afc7f8d8c8de7faab7987c3d026cb59c
2009.0/i586/xchat-2.8.6-1.1mdv2009.0.i586.rpm
e94fdfd2efbed2181b72d65a9df21f8a
2009.0/i586/xchat-devel-2.8.6-1.1mdv2009.0.i586.rpm
2c3971b78671ac7a53c17b9f5135e73b
2009.0/i586/xchat-perl-2.8.6-1.1mdv2009.0.i586.rpm
a691f33b732503df3e29cfde6f65c0a7
2009.0/i586/xchat-python-2.8.6-1.1mdv2009.0.i586.rpm
5ead692459000deb5ebf3ab0a236559a
2009.0/i586/xchat-tcl-2.8.6-1.1mdv2009.0.i586.rpm
6dc7ef3ff6f39be9f251dcb13601d289
2009.0/SRPMS/xchat-2.8.6-1.1mdv2009.0.src.rpm

Mandriva Linux 2009.0/X86_64:
cca12ae2901afc3e95623ab6344edf63
2009.0/x86_64/xchat-2.8.6-1.1mdv2009.0.x86_64.rpm
590a9dce87083e46fb90de1b20997b73
2009.0/x86_64/xchat-devel-2.8.6-1.1mdv2009.0.x86_64.rpm
727cf3e2bdf3dacc11aa5bb982704421
2009.0/x86_64/xchat-perl-2.8.6-1.1mdv2009.0.x86_64.rpm
5f33f207baf5303dcd3fb9a6e0421096
2009.0/x86_64/xchat-python-2.8.6-1.1mdv2009.0.x86_64.rpm
fb5b2450030f0bf56cb24add210e45a2
2009.0/x86_64/xchat-tcl-2.8.6-1.1mdv2009.0.x86_64.rpm
6dc7ef3ff6f39be9f251dcb13601d289
2009.0/SRPMS/xchat-2.8.6-1.1mdv2009.0.src.rpm

Corporate 3.0:
0a8a26aa7f576f77f4ec14a51421cf40
corporate/3.0/i586/xchat-2.0.7-6.2.100mdk.i586.rpm
f0092129d5b34839365a9f7d3d85c23a
corporate/3.0/i586/xchat-perl-2.0.7-6.2.100mdk.i586.rpm
48d7371a30ad17a269b06a80697f83a9
corporate/3.0/i586/xchat-python-2.0.7-6.2.100mdk.i586.rpm
44aa710343dd693caf002b1c6681dd77
corporate/3.0/i586/xchat-tcl-2.0.7-6.2.100mdk.i586.rpm
945a3ee0ecb60ac6388d6ce2a50d86c5
corporate/3.0/SRPMS/xchat-2.0.7-6.2.100mdk.src.rpm

Corporate 3.0/X86_64:
8b799973c689570764d7f401a497abbc
corporate/3.0/x86_64/xchat-2.0.7-6.2.100mdk.x86_64.rpm
5699773aef7b3d6de8cd38ebdd1797a9
corporate/3.0/x86_64/xchat-perl-2.0.7-6.2.100mdk.x86_64.rpm
eda5bf3c90ff3c9096552924ce9dce5c
corporate/3.0/x86_64/xchat-python-2.0.7-6.2.100mdk.x86_64.rpm
8366d439951dc21c0b93008c119fa41f
corporate/3.0/x86_64/xchat-tcl-2.0.7-6.2.100mdk.x86_64.rpm
945a3ee0ecb60ac6388d6ce2a50d86c5
corporate/3.0/SRPMS/xchat-2.0.7-6.2.100mdk.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFJqEobmqjQ0CJFipgRAibrAKDKT6kMH9tmZVTEEXLJO/V6qU30JgCgvRxW
vfev7NY/vyAVecUKESe20K0=
=6bnL
-----END PGP SIGNATURE-----

------------=_1235777232-6173-1747
Content-Type: text/plain; name="message-footer.txt"
Content-Disposition: inline; filename="message-footer.txt"
Content-Transfer-Encoding: 8bit

To unsubscribe, send a email to sympa@mandrivalinux.org
with this subject : unsubscribe security-announce
_______________________________________________________
Want to buy your Pack or Services from Mandriva?
Go to http://www.mandrivastore.com
Join the Club : http://www.mandrivaclub.com
_______________________________________________________

------------=_1235777232-6173-1747--