Summary: | <www-apps/rt-4.4.2: privilege escalation via USE=lighttpd init script | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Michael Orlitzky <mjo> |
Component: | Auditing | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | security-audit, titanofold, web-apps |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- | |
Attachments: | rt.init.d-r3 |
Description
Michael Orlitzky
2016-12-21 12:57:13 UTC
Created attachment 516788 [details]
rt.init.d-r3
Sorry for the huge delay on this.
I'm pretty sure just changing the test from "if it exists" to "if it's a socket" will do the trick.
The initscript also needed some additional cleanups.
Actually, this whole thing doesn't work, and upstream's recommendation is to let the web server handle it. Initscript removed with: commit 935b1fda4c552a223ea23a8bc405571c0743c375 Author: Aaron W. Swenson <titanofold@gentoo.org> Date: Fri Jan 26 12:02:47 2018 -0500 www-apps/rt: Cleanup old and insecure Bug: https://bugs.gentoo.org/603328 Bug: https://bugs.gentoo.org/626196 Package-Manager: Portage-2.3.19, Repoman-2.3.6 @security-audit: Ping. Can we close this now? The initscript is no longer installed. It's been resolved for 18 months. Unrestricting and reassigning to security@ per bug #705894 unrestricting per bug 705894 (In reply to Aaron W. Swenson from comment #4) > @security-audit: Ping. > > Can we close this now? The initscript is no longer installed. It's been > resolved for 18 months. Yep. |