Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 143371 - app-crypt/heimdal setuid issue
Summary: app-crypt/heimdal setuid issue
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
URL: http://www.pdc.kth.se/heimdal/advisor...
Whiteboard: B1 [glsa] jaervosz
Keywords:
Depends on:
Blocks:
 
Reported: 2006-08-09 11:39 UTC by Sune Kloppenborg Jeppesen (RETIRED)
Modified: 2006-11-11 20:40 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-08-09 11:39:08 UTC
2006-08-08: multiple local privilege escalation vulnerabilities
 This problem applies to systems where setuid/seteuid call call fail due to resource exhaustion. One operating system that is true is Linux. The programs that this this problem applies to are ftpd and rcp. The problem only apply to rcp if it installed setuid root (not done by default). 
 Patch (heimdal-0.7.2-setuid-patch) for Heimdal 0.7.2 fixes this problem. 
 One workaround is to make sure set{e,}uid doesn't fail. Also disabling ftpd and removing the setuid bit from rcp will solve the problem. 
 Thanks to Tom Yu at MIT and Michael Calmer and Marcus Meissner at SUSE for tell us about the problem. Either of CVE-2006-3083 or CVE-2006-3084 describes this problems.
Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-08-09 11:40:24 UTC
Kerberos please provide an updated ebuild.
Comment 2 Seemant Kulleen (RETIRED) gentoo-dev 2006-08-10 19:15:16 UTC
Ebuild is on its way, sorry for the delay.
Comment 3 Seemant Kulleen (RETIRED) gentoo-dev 2006-08-10 19:20:01 UTC
ebuild is in portage.  the patch ball is on its way to the mirrors and is also in my dev.gentoo space (in SRC_URI).  Will remove that some time during the stable marking, after our mirrors have the patchball.
Comment 4 Seemant Kulleen (RETIRED) gentoo-dev 2006-08-10 19:31:18 UTC
adding arches, btw
Comment 5 Joshua Jackson (RETIRED) gentoo-dev 2006-08-10 20:56:26 UTC
x86 is done, easy enough to test actually.
Comment 6 Thomas Cort (RETIRED) gentoo-dev 2006-08-10 21:51:03 UTC
amd64 stable.
Comment 7 Thomas Cort (RETIRED) gentoo-dev 2006-08-11 08:05:53 UTC
alpha stable.
Comment 8 Tobias Scherbaum (RETIRED) gentoo-dev 2006-08-11 14:01:17 UTC
ppc stable
Comment 9 Jason Wever (RETIRED) gentoo-dev 2006-08-11 14:36:19 UTC
Stable on SPARC
Comment 10 Markus Rothe (RETIRED) gentoo-dev 2006-08-12 07:45:25 UTC
ppc64 stable
Comment 11 René Nussbaumer (RETIRED) gentoo-dev 2006-08-12 08:15:48 UTC
stable on hppa
Comment 12 Thierry Carrez (RETIRED) gentoo-dev 2006-08-12 08:35:04 UTC
This is ready for GLSA.
Comment 13 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-08-23 12:24:20 UTC
GLSA 200608-21 , thanks to all and especially daxo'
Comment 14 Joshua Kinard gentoo-dev 2006-09-03 13:36:17 UTC
0.7.2-r3 stable on mips.