Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 194550

Summary: app-admin/rmake <1.0.12 local priv escalation issue (CVE-2007-5194)
Product: Gentoo Security Reporter: Jonathan Smith (RETIRED) <smithj>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: trivial CC: keytoaster, security
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://issues.rpath.com/browse/RMK-634
Whiteboard: ~1 [noglsa]
Package list:
Runtime testing required: ---
Attachments:
Description Flags
patch from rpath to fix this issue none

Description Jonathan Smith (RETIRED) gentoo-dev 2007-10-02 20:31:30 UTC 
In an internal review, rPath has discovered a security issue
affecting the rMake build tool.  In its build change-root
environments, it creates a devince file called "/dev/zero" with
the device numbers belonging to /dev/port, with read and write
permissions available to any user able to use rMake.  This is a
potential local user superuser arbitrary code execution issue.

Reproducible: Always
Comment 1 Jonathan Smith (RETIRED) gentoo-dev 2007-10-02 20:32:55 UTC 
rMake has never had a stable version in the portage tree, so no advisory is required. CCing security@ in case they have other input.
Comment 2 Jonathan Smith (RETIRED) gentoo-dev 2007-10-02 20:36:16 UTC 
Created attachment 132421 [details, diff]
patch from rpath to fix this issue
Comment 3 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-10-02 20:40:29 UTC 
(In reply to comment #1)
> rMake has never had a stable version in the portage tree, so no advisory is
> required. CCing security@ in case they have other input.
> 

Yeah well since it's a security issue, please assign it directly to security :)
Would it be possible to have a fixed version in the tree? thanks.
Comment 4 Jonathan Smith (RETIRED) gentoo-dev 2007-10-02 20:43:39 UTC 
(In reply to comment #3)
> Yeah well since it's a security issue, please assign it directly to security :)
> Would it be possible to have a fixed version in the tree? thanks.

OK, my bad about the assignee.

I'll update the ebuild as soon as my gentoo box is re-delivered from Fedex (long story. *should* be <24 hrs).
Comment 5 Tobias Heinlein (RETIRED) gentoo-dev 2007-10-05 13:20:20 UTC 
*** Bug 194800 has been marked as a duplicate of this bug. ***
Comment 6 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-10-17 18:53:24 UTC 
Any news on this one?
Comment 7 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-11-01 19:20:05 UTC 
any news here?
Comment 8 Jonathan Smith (RETIRED) gentoo-dev 2007-11-20 04:12:27 UTC 
yeah, sorry. the box arrived damaged and I haven't had time to repair it. if someone else wants to, an update to .12 should cause no issues. tarball is here: ftp://download.rpath.com/rmake/rmake-1.0.12.tar.bz2
Comment 9 Robert Buchholz (RETIRED) gentoo-dev 2008-01-08 01:15:58 UTC 
*rmake-1.0.13 (08 Jan 2008)

  08 Jan 2008; Robert Buchholz <rbu@gentoo.org> +rmake-1.0.13.ebuild:
  Version bump to fix privilege escalation vulnerability (bug #194550).
  For more changes, see NEWS file.