Robert Buchholz of the Gentoo Security Team reported that the dstat utilility contains a flaw in the python module search path used. dstat will search the current working directory for python modules.
If a local user is able to trick another user into running dstat in a directory containing a malicious module, they could perform arbitrary actions with the permissions of the victim.
Public now via:
This issue has been addressed in following products:
Red Hat Enterprise Linux 5
Via RHSA-2009:1619 https://rhn.redhat.com/errata/RHSA-2009-1619.html
dstat-0.7.0-1.fc12 has been submitted as an update for Fedora 12.
dstat-0.6.9-5.fc11 has been submitted as an update for Fedora 11.
dstat-0.6.9-5.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.
dstat-0.7.0-1.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.