Bug 211240 (CVE-2008-0162)

Summary:	app-misc/splitvt <=1.6.6 "xprop" Privilege Escalation Security Issue (CVE-2008-0162)
Product:	Gentoo Security	Reporter:	Lars Hartmann <lars>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	major	CC:	shell-tools
Priority:	High
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	http://secunia.com/advisories/29080
Whiteboard:	B1 [glsa]
Package list:		Runtime testing required:	---

Description Lars Hartmann 2008-02-24 09:01:34 UTC

A security issue has been reported in SplitVT, which can be exploited by malicious, local users to gain escalated privileges.

The security issue is caused due to the program maintaining group privileges while executing the "xprop" utility. This can be exploited by malicious, local users to gain "utmp" group privileges.

The security issue is reported in versions 1.6.5 and 1.6.6. Other versions may also be affected.

Solution:
apply the patch from debian from http://www.debian.org/security/2008/dsa-1500

Comment 1 Lars Hartmann 2008-02-24 09:03:18 UTC

maintainers - please provide an updated ebuild

Comment 2 Peter Volkov (RETIRED) gentoo-dev

2008-02-25 08:15:24 UTC

app-misc/splitvt-1.6.6-r1 is in the tree and includes fix for this bug.

Comment 3 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2008-02-25 20:30:22 UTC

Arches please test and mark stable. Target keywords are:

splitvt-1.6.6-r1.ebuild:KEYWORDS="~amd64 ~ia64 ppc sparc x86"

Comment 4 Christian Faulhammer (RETIRED) gentoo-dev

2008-02-25 21:13:01 UTC

x86 stable

Comment 5 Raúl Porcel (RETIRED) gentoo-dev

2008-02-26 14:48:50 UTC

sparc stable

Comment 6 Tobias Scherbaum (RETIRED) gentoo-dev

2008-02-26 17:31:33 UTC

ppc stable

Comment 7 Peter Volkov (RETIRED) gentoo-dev

2008-02-26 20:22:07 UTC

Fixed in release snapshot.

Comment 8 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2008-02-26 20:35:20 UTC

Request filed.

Comment 9 Pierre-Yves Rofes (RETIRED) gentoo-dev

2008-03-03 21:23:39 UTC

GLSA 200803-05