Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 385321 (CVE-2011-2709)

Summary: <net-libs/libgssglue-0.4: Privilege Escalation Vulnerability (CVE-2011-2709)
Product: Gentoo Security Reporter: Tim Sammut (RETIRED) <underling>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: net-fs, ssuominen
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://thread.gmane.org/gmane.comp.security.oss.general/5544/focus=5712
Whiteboard: B1 [glsa]
Package list:
Runtime testing required: ---

Description Tim Sammut (RETIRED) gentoo-dev 2011-10-02 05:38:58 UTC 
From the Red Hat bug at https://bugzilla.redhat.com/show_bug.cgi?id=724005:

It was found that libgssapi and libgssglue GSSAPI interface exporting libraries
did not properly sanitize content of user-provided configuration file,
determining which GSS mechanisms and their definitions will be loaded during
library initialization. A local attacker, allowed to mount a network file
system (NFS) share could use this flaw to execute arbitrary code with the
privileges of the the privileged system user (root).

There appears to be a patch at: http://article.gmane.org/gmane.comp.security.oss.general/5712
Comment 1 Samuli Suominen (RETIRED) gentoo-dev 2012-08-23 10:25:35 UTC 
according to...

https://bugzilla.redhat.com/show_bug.cgi?id=724005#c9

...this is fixed with version 0.4 which is now in Portage

arches, please test and stabilize it (beware, this was non-maintainer commit):
Comment 2 Agostino Sarubbo gentoo-dev 2012-08-24 12:31:08 UTC 
amd64 stable
Comment 3 Jeroen Roovers (RETIRED) gentoo-dev 2012-08-24 14:09:55 UTC 
Stable for HPPA.
Comment 4 Michael Weber (RETIRED) gentoo-dev 2012-08-26 10:09:14 UTC 
ppc stable.
Comment 5 Andreas Schürch gentoo-dev 2012-08-30 06:35:13 UTC 
x86 stable.
Comment 6 Anthony Basile gentoo-dev 2012-09-05 20:35:09 UTC 
Stable arm
Comment 7 Anthony Basile gentoo-dev 2012-09-06 12:03:19 UTC 
Stable ppc64
Comment 8 Raúl Porcel (RETIRED) gentoo-dev 2012-09-09 11:28:49 UTC 
alpha/ia64/s390/sh/sparc stable
Comment 9 Sean Amoss (RETIRED) gentoo-dev Security 2012-09-09 12:26:36 UTC 
Thanks, everyone. 

GLSA draft ready for review.
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2012-09-28 01:04:59 UTC 
This issue was resolved and addressed in
 GLSA 201209-22 at http://security.gentoo.org/glsa/glsa-201209-22.xml
by GLSA coordinator Sean Amoss (ackle).