[Frugalware-security] [ FSA-268 ] python

voroskoi noreply at frugalware.org
Fri Sep 7 13:48:21 CEST 2007


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Frugalware Security Advisory                           FSA-268

Date: 2007-09-07
Package: python
Vulnerable versions: <= 2.5-3terminus1
Unaffected versions: >= 2.5-3terminus2
Related bugreport: http://bugs.frugalware.org/task/2382
CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4559

Description
===========

Some vulnerabilities have been reported in the Python tarfile module, which can be exploited by malicious people to compromise a vulnerable system.
The vulnerabilities are caused due to input validation errors when extracting tar archives. This can be exploited to extract files to arbitrary locations outside the specified directory with the permissions of the application using the tarfile module by using the &quot;../&quot; directory traversal sequence or malicious symlinks in a specially crafted tar archive.

Updated Packages
================

Check if you have python installed:

	# pacman-g2 -Q python

If found, then you should upgrade to the latest version:

	# pacman-g2 -Sy python

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: See http://ftp.frugalware.org/pub/README.GPG for info

iD8DBQFG4TqFZ7NElSD1VhkRAkZmAKCXylNFa5bOHSIkCmhhqw3DbI9BqACfdO47
ZD1AGVRXmAgkXcZV4vmcLVM=
=jzwA
-----END PGP SIGNATURE-----


More information about the Frugalware-security mailing list