| Summary: | net-misc/ntp small security issue (CAN-2005-2496) | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Sune Kloppenborg Jeppesen (RETIRED) <jaervosz> | ||||
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||
| Status: | RESOLVED FIXED | ||||||
| Severity: | minor | ||||||
| Priority: | High | ||||||
| Version: | unspecified | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| URL: | https://ntp.isc.org/bugs/show_bug.cgi?id=392 | ||||||
| Whiteboard: | A4 [noglsa] jaervosz | ||||||
| Package list: | Runtime testing required: | --- | |||||
| Attachments: |
|
||||||
Created attachment 66876 [details, diff]
ntpd-using_wrong_group.diff
SUSE patch.
Mike please verify and patch as needed. no point in restricting this, it's been public knowledge for like 6 months now ;) heh, anyways I just want an updated ebuild:-) it's been fixed in upstream dev branch ... i want to see about stable branch too, but i'll prob do ebuilds in the meantime added fixed ebuilds to portage do a glsa if you want ;) Thx SpanKY. Time for GLSA decision, I vote NO. Voting NO too, I can't see this being provoked and/or exploited in any way. |
When starting xntpd with the -u option and specifying the group by using a string not a numeric gid the daemon uses the gid of the user not the group. reproduce: # rcxntpd start # ps -C ntpd -o comm,pid,ruser,euser,rgroup,egroup verify given and real IDs