In an internal review, rPath has discovered a security issue affecting the rMake build tool. In its build change-root environments, it creates a devince file called "/dev/zero" with the device numbers belonging to /dev/port, with read and write permissions available to any user able to use rMake. This is a potential local user superuser arbitrary code execution issue. Reproducible: Always
rMake has never had a stable version in the portage tree, so no advisory is required. CCing security@ in case they have other input.
Created attachment 132421 [details, diff] patch from rpath to fix this issue
(In reply to comment #1) > rMake has never had a stable version in the portage tree, so no advisory is > required. CCing security@ in case they have other input. > Yeah well since it's a security issue, please assign it directly to security :) Would it be possible to have a fixed version in the tree? thanks.
(In reply to comment #3) > Yeah well since it's a security issue, please assign it directly to security :) > Would it be possible to have a fixed version in the tree? thanks. OK, my bad about the assignee. I'll update the ebuild as soon as my gentoo box is re-delivered from Fedex (long story. *should* be <24 hrs).
*** Bug 194800 has been marked as a duplicate of this bug. ***
Any news on this one?
any news here?
yeah, sorry. the box arrived damaged and I haven't had time to repair it. if someone else wants to, an update to .12 should cause no issues. tarball is here: ftp://download.rpath.com/rmake/rmake-1.0.12.tar.bz2
*rmake-1.0.13 (08 Jan 2008) 08 Jan 2008; Robert Buchholz <rbu@gentoo.org> +rmake-1.0.13.ebuild: Version bump to fix privilege escalation vulnerability (bug #194550). For more changes, see NEWS file.
