First Last Prev Next    No search results available      Search page      Enter new bug
Bug#: 143371
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Sune Kloppenborg Jeppesen <jaervosz@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 143371 depends on: Show dependency tree
Show dependency graph
Bug 143371 blocks:

Additional Comments: (this is where you put emerge --info)







View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2006-08-09 11:39 0000 
2006-08-08: multiple local privilege escalation vulnerabilities
 This problem applies to systems where setuid/seteuid call call fail due to
resource exhaustion. One operating system that is true is Linux. The programs
that this this problem applies to are ftpd and rcp. The problem only apply to
rcp if it installed setuid root (not done by default). 
 Patch (heimdal-0.7.2-setuid-patch) for Heimdal 0.7.2 fixes this problem. 
 One workaround is to make sure set{e,}uid doesn't fail. Also disabling ftpd
and removing the setuid bit from rcp will solve the problem. 
 Thanks to Tom Yu at MIT and Michael Calmer and Marcus Meissner at SUSE for
tell us about the problem. Either of CVE-2006-3083 or CVE-2006-3084 describes
this problems.

------- Comment #1 From Sune Kloppenborg Jeppesen 2006-08-09 11:40:24 0000 ------- 
Kerberos please provide an updated ebuild.

------- Comment #2 From Seemant Kulleen (RETIRED) 2006-08-10 19:15:16 0000 ------- 
Ebuild is on its way, sorry for the delay.

------- Comment #3 From Seemant Kulleen (RETIRED) 2006-08-10 19:20:01 0000 ------- 
ebuild is in portage.  the patch ball is on its way to the mirrors and is also
in my dev.gentoo space (in SRC_URI).  Will remove that some time during the
stable marking, after our mirrors have the patchball.

------- Comment #4 From Seemant Kulleen (RETIRED) 2006-08-10 19:31:18 0000 ------- 
adding arches, btw

------- Comment #5 From Joshua Jackson 2006-08-10 20:56:26 0000 ------- 
x86 is done, easy enough to test actually.

------- Comment #6 From Thomas Cort (RETIRED) 2006-08-10 21:51:03 0000 ------- 
amd64 stable.

------- Comment #7 From Thomas Cort (RETIRED) 2006-08-11 08:05:53 0000 ------- 
alpha stable.

------- Comment #8 From Tobias Scherbaum 2006-08-11 14:01:17 0000 ------- 
ppc stable

------- Comment #9 From Jason Wever (RETIRED) 2006-08-11 14:36:19 0000 ------- 
Stable on SPARC

------- Comment #10 From Markus Rothe 2006-08-12 07:45:25 0000 ------- 
ppc64 stable

------- Comment #11 From René Nussbaumer 2006-08-12 08:15:48 0000 ------- 
stable on hppa

------- Comment #12 From Thierry Carrez (RETIRED) 2006-08-12 08:35:04 0000 ------- 
This is ready for GLSA.

------- Comment #13 From Raphael Marichez 2006-08-23 12:24:20 0000 ------- 
GLSA 200608-21 , thanks to all and especially daxo'

------- Comment #14 From Joshua Kinard 2006-09-03 13:36:17 0000 ------- 
0.7.2-r3 stable on mips.
First Last Prev Next    No search results available      Search page      Enter new bug