[ GLSA 201811-18 ] Tablib: Arbitrary command execution


–O5XBE6gyVG5Rl6Rj

Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
Gentoo Linux Security Advisory GLSA 201811-18
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
https://security.gentoo.org/
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –

Severity: Normal
Title: Tablib: Arbitrary command execution
Date: November 27, 2018
Bugs: #621884
ID: 201811-18

– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –

Synopsis

A vulnerability in Tablib might allow remote attackers to execute
arbitrary python commands.

Background

Tablib is an MIT Licensed format-agnostic tabular dataset library,
written in Python. It allows you to import, export, and manipulate
tabular data sets.

Affected packages

——————————————————————-
Package / Vulnerable / Unaffected
——————————————————————-
1 dev-python/tablib 0.12.1=20

Description

A vulnerability was discovered in Tablib’s Databook loading
functionality, due to improper input validation.

Impact

A remote attacker, by enticing the user to process a specially crafted
Databook via YAML, could possibly execute arbitrary python commands
with the privilege of the process.

Workaround

There is no known workaround at this time.

Resolution

All Tablib users should upgrade to the latest version:

# emerge –sync
# emerge –ask –oneshot –verbose “>dev-python/tablib-0.12.1”

References

[ 1 ] CVE-2017-2810
https://nvd.nist.gov/vuln/detail/CVE-2017-2810

Availability

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/201811-18

Concerns?

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users’ machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License

Copyright 2018 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons – Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

–O5XBE6gyVG5Rl6Rj

—–BEGIN PGP SIGNATURE—–

iQEzBAABCAAdFiEEiDRK3jyVBE/RkymqpRQw84X1dt0FAlv8peoACgkQpRQw84X1
dt2j3Af9FJZ6NoEgEwlWu4g4B2ebvJUV0SuzA7Qr/IP0MK5r2p0TXu4N1wdN8ht1
l016JHKMn8clRO0uLVjoH2s2F5kVxLnnNkZMYoa7ykJ2e0b5EeT2+Y+eKcfYE02Z
Yi8+kRw0/vKTJFDrW8pr9mt9Rrl/qsxyX3kRDGftexQCU5Tylw4Mylb/0zpoamlW
WmdL/1I/M5ZNQvUpFuTj2ikuVguq/XyEcJ+S6p4grIHX4oUmflXGHxgSnduDie6J
cmAchumrWTrtDJ3qRCVope/KAWRp54Kn/F7gxXNzSG/npZRbSKjnIrqP7Ln/OOuj
5CKfVeEAD3Lk/7kZpwzpdRRulXG58Q==
sn
—–END PGP SIGNATURE—–

–O5XBE6gyVG5Rl6Rj–