Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 381115 (CVE-2011-2921)

Summary: x11-misc/ktsuss: Local privilege escalation vulnerabilities (CVE-2011-{2921,2922})
Product: Gentoo Security Reporter: Tim Sammut (RETIRED) <underling>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: c1pher, tomka
Priority: Normal Keywords: PMASKED
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://seclists.org/oss-sec/2011/q3/338
Whiteboard: B1 [glsa]
Package list:
Runtime testing required: ---

Description Tim Sammut (RETIRED) gentoo-dev 2011-08-30 05:55:59 UTC 
From the note at $URL:

> I reported these bugs privately to the Debian security team and the
> > upstream author some time ago, but it does not appear that any CVE was
> > created as a result.
> > 
> > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=626178
> > 
> > The 1.3 and 1.4 versions of ktsuss which include a setuid ktsuss binary
> > suffered from two separate security bugs which can be used for local root
> > exploits.
> > 
> > The "1.314" version which does not include a setuid ktsuss binary and
> > uses "su" for privilege escalation does not suffer from these problems.
> > 
> > 
> > 1) When the target UID is the same as the real UID ktsuss skips
> > authentication. Under these circumstances, ktsuss fails to change the
> > effective UID back to the real UID. (line 118 of src/ktsuss.c in version
> > 1.3.)
> > 
> > $ ktsuss -u `whoami` whoami
> > root
Use CVE-2011-2921 for the above issue.

> > 
> > 
> > 2) The setuid ktsuss binary executes a GTK interface subprocess to prompt
> > for username and password. This GTK interface runs as root and allows
> > arbitrary code execution via the GTK_MODULES environmental variable.
Use CVE-2011-2922 for this issue.
Comment 1 Thomas Kahle (RETIRED) gentoo-dev 2011-09-25 17:39:52 UTC 
I don't know how to fix it, Debian removed the package, upstream seems dead.
Time to last-rite:

  25 Sep 2011; Thomas Kahle <tomka@gentoo.org> package.mask:
  Mask x11-misc/ktsuss for removal (security bug 381115)

Thanks for the report.
Comment 2 Tim Sammut (RETIRED) gentoo-dev 2011-10-27 21:00:21 UTC 
Package masked. GLSA request filed.
Comment 3 Thomas Kahle (RETIRED) gentoo-dev 2011-10-27 21:42:02 UTC 
package removed.
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2012-01-27 15:13:26 UTC 
This issue was resolved and addressed in
 GLSA 201201-15 at http://security.gentoo.org/glsa/glsa-201201-15.xml
by GLSA coordinator Sean Amoss (ackle).