Summary: | <app-admin/abrt-2.0.8 : Setuid process core dump archived with unsafe GID permissions (CVE-2012-1106) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Michael Harrison <n0idx80> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | gnome |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://bugzilla.redhat.com/show_bug.cgi?id=785163 | ||
Whiteboard: | B3 [noglsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 407251 | ||
Bug Blocks: |
Description
Michael Harrison
2012-03-05 18:41:07 UTC
Thanks for reporting, fixed in abrt-2.0.8. Note that app-admin/abrt-2.0.8 must be stabilized together with >=dev-libs/libreport-2.0.9 and probably with >=dev-libs/btparser-0.16.
>*abrt-2.0.8 (07 Mar 2012)
>
> 07 Mar 2012; Alexandre Rostovtsev <tetromino@gentoo.org> +abrt-2.0.8.ebuild,
> +files/abrt-2.0.8-gentoo.patch:
> Version bump. Fixes permissions on dumps of setuid processes (bug #407011,
> CVE-2012-1106, thanks to Michael Harrison for reporting).
Arches, please test and mark stable: =app-admin/abrt-2.0.8 Target KEYWORDS : "amd64 x86" amd64 stable x86 stable Thanks, everyone. GLSA Vote: no. GLSA vote: no. Closing noglsa. CVE-2012-1106 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1106): The C handler plug-in in Automatic Bug Reporting Tool (ABRT), possibly 2.0.8 and earlier, does not properly set the group (GID) permissions on core dump files for setuid programs when the sysctl fs.suid_dumpable option is set to 2, which allows local users to obtain sensitive information. |