From the note at $URL: > I reported these bugs privately to the Debian security team and the > > upstream author some time ago, but it does not appear that any CVE was > > created as a result. > > > > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=626178 > > > > The 1.3 and 1.4 versions of ktsuss which include a setuid ktsuss binary > > suffered from two separate security bugs which can be used for local root > > exploits. > > > > The "1.314" version which does not include a setuid ktsuss binary and > > uses "su" for privilege escalation does not suffer from these problems. > > > > > > 1) When the target UID is the same as the real UID ktsuss skips > > authentication. Under these circumstances, ktsuss fails to change the > > effective UID back to the real UID. (line 118 of src/ktsuss.c in version > > 1.3.) > > > > $ ktsuss -u `whoami` whoami > > root Use CVE-2011-2921 for the above issue. > > > > > > 2) The setuid ktsuss binary executes a GTK interface subprocess to prompt > > for username and password. This GTK interface runs as root and allows > > arbitrary code execution via the GTK_MODULES environmental variable. Use CVE-2011-2922 for this issue.
I don't know how to fix it, Debian removed the package, upstream seems dead. Time to last-rite: 25 Sep 2011; Thomas Kahle <tomka@gentoo.org> package.mask: Mask x11-misc/ktsuss for removal (security bug 381115) Thanks for the report.
Package masked. GLSA request filed.
package removed.
This issue was resolved and addressed in GLSA 201201-15 at http://security.gentoo.org/glsa/glsa-201201-15.xml by GLSA coordinator Sean Amoss (ackle).
