Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 385321 (CVE-2011-2709) - <net-libs/libgssglue-0.4: Privilege Escalation Vulnerability (CVE-2011-2709)
Summary: <net-libs/libgssglue-0.4: Privilege Escalation Vulnerability (CVE-2011-2709)
Status: RESOLVED FIXED
Alias: CVE-2011-2709
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: http://thread.gmane.org/gmane.comp.se...
Whiteboard: B1 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2011-10-02 05:38 UTC by Tim Sammut (RETIRED)
Modified: 2012-09-28 01:04 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Tim Sammut (RETIRED) gentoo-dev 2011-10-02 05:38:58 UTC 
From the Red Hat bug at https://bugzilla.redhat.com/show_bug.cgi?id=724005:

It was found that libgssapi and libgssglue GSSAPI interface exporting libraries
did not properly sanitize content of user-provided configuration file,
determining which GSS mechanisms and their definitions will be loaded during
library initialization. A local attacker, allowed to mount a network file
system (NFS) share could use this flaw to execute arbitrary code with the
privileges of the the privileged system user (root).

There appears to be a patch at: http://article.gmane.org/gmane.comp.security.oss.general/5712
Comment 1 Samuli Suominen (RETIRED) gentoo-dev 2012-08-23 10:25:35 UTC 
according to...

https://bugzilla.redhat.com/show_bug.cgi?id=724005#c9

...this is fixed with version 0.4 which is now in Portage

arches, please test and stabilize it (beware, this was non-maintainer commit):
Comment 2 Agostino Sarubbo gentoo-dev 2012-08-24 12:31:08 UTC 
amd64 stable
Comment 3 Jeroen Roovers (RETIRED) gentoo-dev 2012-08-24 14:09:55 UTC 
Stable for HPPA.
Comment 4 Michael Weber (RETIRED) gentoo-dev 2012-08-26 10:09:14 UTC 
ppc stable.
Comment 5 Andreas Schürch gentoo-dev 2012-08-30 06:35:13 UTC 
x86 stable.
Comment 6 Anthony Basile gentoo-dev 2012-09-05 20:35:09 UTC 
Stable arm
Comment 7 Anthony Basile gentoo-dev 2012-09-06 12:03:19 UTC 
Stable ppc64
Comment 8 Raúl Porcel (RETIRED) gentoo-dev 2012-09-09 11:28:49 UTC 
alpha/ia64/s390/sh/sparc stable
Comment 9 Sean Amoss (RETIRED) gentoo-dev Security 2012-09-09 12:26:36 UTC 
Thanks, everyone. 

GLSA draft ready for review.
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2012-09-28 01:04:59 UTC 
This issue was resolved and addressed in
 GLSA 201209-22 at http://security.gentoo.org/glsa/glsa-201209-22.xml
by GLSA coordinator Sean Amoss (ackle).