Summary
Nikolaus Rath discovered that s3ql, a file system for online data storage, used the pickle functionality of the Python programming language in an unsafe way. As a result, a malicious storage backend or man-in-the-middle attacker was able execute arbitrary code.
Solution
For the stable distribution (wheezy), this problem has been fixed in version 1.11.1-3+deb7u1.
We recommend that you upgrade your s3ql packages.
Insight
S3QL is a file system that stores all its data online. It supports online storage services like Amazon S3 as well as arbitrary FTP or SFTP servers. It effectively provides you with a hard disk of infinite capacity that can be accessed from any computer with internet access.
Affected
s3ql on Debian Linux
Detection
This check tests the installed software version using the apt package manager.
References
Updated on 2015-03-25
Severity
Classification
-
CVE CVE-2014-0485 -
CVSS Base Score: 7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P
Related Vulnerabilities