The amsvis command in the powerpc-utils-python package implements a client-server protocol to exchange Active Memory Sharing information, based on the Python cPickle serialization library. This could allow an attacker who can connect to amsvis server process (or cause an amsvis client process to connect to them) to execute arbitrary code as the user running the amsvis process. This update changes the client-server protocol to use JSON instead.
This issue was discovered by Dhiru Kholia of Red Hat Product Security.
Public via: http://sourceforge.net/p/powerpc-utils/mailman/message/32884230/
Created powerpc-utils-python tracking bugs for this issue:
Affects: fedora-all [bug 1190597]
This issue affects the versions of powerpc-utils-python as shipped with Red Hat Enterprise Linux 7 for Power. Red Hat Product Security has rated this issue as having Moderate security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
This issue has been addressed in the following products:
Red Hat Enterprise Linux 7
Via RHSA-2016:2607 https://rhn.redhat.com/errata/RHSA-2016-2607.html