143371 2006-08-09 11:39 0000 app-crypt/heimdal setuid issue 2006-11-11 20:40:09 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All Linux RESOLVED FIXED http://www.pdc.kth.se/heimdal/advisory/2006-08-08/ B1 [glsa] jaervosz P2 major --- 1 jaervosz@gentoo.org security@gentoo.org kerberos@gentoo.org tcort@gentoo.org jaervosz@gentoo.org 2006-08-09 11:39:08 0000 2006-08-08: multiple local privilege escalation vulnerabilities This problem applies to systems where setuid/seteuid call call fail due to resource exhaustion. One operating system that is true is Linux. The programs that this this problem applies to are ftpd and rcp. The problem only apply to rcp if it installed setuid root (not done by default). Patch (heimdal-0.7.2-setuid-patch) for Heimdal 0.7.2 fixes this problem. One workaround is to make sure set{e,}uid doesn't fail. Also disabling ftpd and removing the setuid bit from rcp will solve the problem. Thanks to Tom Yu at MIT and Michael Calmer and Marcus Meissner at SUSE for tell us about the problem. Either of CVE-2006-3083 or CVE-2006-3084 describes this problems. jaervosz@gentoo.org 2006-08-09 11:40:24 0000 Kerberos please provide an updated ebuild. seemant@gentoo.org 2006-08-10 19:15:16 0000 Ebuild is on its way, sorry for the delay. seemant@gentoo.org 2006-08-10 19:20:01 0000 ebuild is in portage. the patch ball is on its way to the mirrors and is also in my dev.gentoo space (in SRC_URI). Will remove that some time during the stable marking, after our mirrors have the patchball. seemant@gentoo.org 2006-08-10 19:31:18 0000 adding arches, btw tsunam@gentoo.org 2006-08-10 20:56:26 0000 x86 is done, easy enough to test actually. tcort@gentoo.org 2006-08-10 21:51:03 0000 amd64 stable. tcort@gentoo.org 2006-08-11 08:05:53 0000 alpha stable. dertobi123@gentoo.org 2006-08-11 14:01:17 0000 ppc stable weeve@gentoo.org 2006-08-11 14:36:19 0000 Stable on SPARC corsair@gentoo.org 2006-08-12 07:45:25 0000 ppc64 stable killerfox@gentoo.org 2006-08-12 08:15:48 0000 stable on hppa koon@gentoo.org 2006-08-12 08:35:04 0000 This is ready for GLSA. falco@gentoo.org 2006-08-23 12:24:20 0000 GLSA 200608-21 , thanks to all and especially daxo' kumba@gentoo.org 2006-09-03 13:36:17 0000 0.7.2-r3 stable on mips.