Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 512356 (CVE-2014-0476) - <app-forensics/chkrootkit-0.50: local privilege escalation (CVE-2014-0476)
Summary: <app-forensics/chkrootkit-0.50: local privilege escalation (CVE-2014-0476)
Status: RESOLVED FIXED
Alias: CVE-2014-0476
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B1 [glsa cve]
Keywords:
: 512620 516132 529308 (view as bug list)
Depends on:
Blocks:
 
Reported: 2014-06-04 08:13 UTC by Agostino Sarubbo
Modified: 2019-04-26 02:43 UTC (History)
10 users (show)

See Also:
Package list:
=app-forensics/chkrootkit-0.50
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-06-04 08:13:58 UTC
From ${URL} :

A quoting issue was found in chkrootkit which would lead to a file in /tmp/ being executed, if /tmp/ was mounted without the noexec option. chkrootkit is typically run as the root user. A local attacker could use this flaw to escalate their privileges.

The problematic part was:

file_port=$file_port $i

Which is changed to file_port="$file_port $i" to fix the issue. From the Debian diff:

--- chkrootkit-0.49.orig/debian/patches/CVE-2014-0476.patch
+++ chkrootkit-0.49/debian/patches/CVE-2014-0476.patch
@@ -0,0 +1,13 @@
+Index: chkrootkit/chkrootkit
+===================================================================
+--- chkrootkit.orig/chkrootkit
++++ chkrootkit/chkrootkit
+@@ -117,7 +117,7 @@ slapper (){
+    fi
+    for i in ${SLAPPER_FILES}; do
+       if [ -f ${i} ]; then
+-       file_port=$file_port $i
++       file_port="$file_port $i"
+          STATUS=1
+       fi
+    done



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Agostino Sarubbo gentoo-dev 2014-06-07 14:28:03 UTC
*** Bug 512620 has been marked as a duplicate of this bug. ***
Comment 2 Agostino Sarubbo gentoo-dev 2014-06-07 14:28:40 UTC
fixed in 0.50
Comment 3 Sławomir Nizio 2014-09-28 15:15:09 UTC
*If* there is a problem with the version bump, maybe the fix could be backported.
Comment 4 Brian Evans Gentoo Infrastructure gentoo-dev 2014-10-31 14:42:03 UTC
*** Bug 516132 has been marked as a duplicate of this bug. ***
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2015-01-03 20:05:56 UTC
CVE-2014-0476 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0476):
  The slapper function in chkrootkit before 0.50 does not properly quote file
  paths, which allows local users to execute arbitrary code via a Trojan horse
  executable.  NOTE: this is only a vulnerability when /tmp is not mounted
  with the noexec option.
Comment 6 Aaron Bauman (RETIRED) gentoo-dev 2016-03-19 07:35:00 UTC
Time to PMASK...

# Aaron Bauman <bman@gentoo.org> (19 Mar 2016)
# Unpatched security vulnerability per bug #512356.
# Masked for removal in 30 days.
app-forensics/chkrootkit
Comment 7 Nico Baggus 2016-03-19 09:32:17 UTC
eh... there is a 0.50 available that PATCHES this problem..??
(already for a few years)...
Comment 8 Aaron Bauman (RETIRED) gentoo-dev 2016-03-19 09:58:50 UTC
(In reply to Nico Baggus from comment #7)
> eh... there is a 0.50 available that PATCHES this problem..??
> (already for a few years)...

Nico, if you are interested in proxy maintaining[0] please let us know.

[0]: https://wiki.gentoo.org/wiki/Project:Proxy_Maintainers
Comment 9 Michael Weber (RETIRED) gentoo-dev 2016-03-21 11:44:26 UTC
I've bumped the fixed/unaffected 0.50 version, so can you please change the ban to 0.49 only? Thanks

commit ae6d6ffd8eed52b9ee9c484c6674b8e2e1d236ca
Author: Michael Weber <xmw@gentoo.org>
Date:   Mon Mar 21 12:38:27 2016 +0100

    app-forensics/chkrootkit: Version bump (bug 529308, thanks Paolo Pedroni).
Comment 10 Aaron Bauman (RETIRED) gentoo-dev 2016-03-21 11:57:14 UTC
(In reply to Michael Weber from comment #9)
> I've bumped the fixed/unaffected 0.50 version, so can you please change the
> ban to 0.49 only? Thanks
> 
> commit ae6d6ffd8eed52b9ee9c484c6674b8e2e1d236ca
> Author: Michael Weber <xmw@gentoo.org>
> Date:   Mon Mar 21 12:38:27 2016 +0100
> 
>     app-forensics/chkrootkit: Version bump (bug 529308, thanks Paolo
> Pedroni).

Michael, please just remove 0.49 and the PMASK (or I can remove the PMASK).  We can call for a rapid stabilization here from the arches due to the current 0.49 already being stabilized.
Comment 11 Aaron Bauman (RETIRED) gentoo-dev 2016-03-21 12:12:07 UTC
@arches, please stabilize on the following arches:

TARGET KEYWORDS = alpha, amd64, arm, hppa, ia64, ppc, ppc64, s390, sh, sparc, x86
Comment 12 Aaron Bauman (RETIRED) gentoo-dev 2016-03-21 12:13:44 UTC
PMASK adjusted to app-forensics/chkrootkit-0.49
Comment 13 Agostino Sarubbo gentoo-dev 2016-03-22 14:33:11 UTC
amd64 stable
Comment 14 Jeroen Roovers (RETIRED) gentoo-dev 2016-03-25 10:30:32 UTC
*** Bug 529308 has been marked as a duplicate of this bug. ***
Comment 15 Agostino Sarubbo gentoo-dev 2016-03-27 10:16:48 UTC
ppc stable
Comment 16 Markus Meier gentoo-dev 2016-03-30 18:29:31 UTC
arm stable
Comment 17 Agostino Sarubbo gentoo-dev 2016-04-11 10:39:44 UTC
x86 stable
Comment 18 Tobias Klausmann (RETIRED) gentoo-dev 2016-05-20 11:28:11 UTC
Stable on alpha.
Comment 19 Aaron Bauman (RETIRED) gentoo-dev 2016-06-26 14:16:58 UTC
@arches, ping.
Comment 20 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2016-07-07 21:01:04 UTC
(removing arch teams for non-stable arches)
Comment 21 Agostino Sarubbo gentoo-dev 2016-07-08 10:03:35 UTC
sparc stable
Comment 22 Agostino Sarubbo gentoo-dev 2016-09-29 10:35:01 UTC
ppc64 stable
Comment 23 Agostino Sarubbo gentoo-dev 2016-09-29 13:29:02 UTC
ia64 stable
Comment 24 Jeroen Roovers (RETIRED) gentoo-dev 2016-10-01 09:32:01 UTC
(In reply to Aaron Bauman from comment #19)
> @arches, ping.

Bug #578208. I can't believe how people are stabilising this.
Comment 25 Yury German Gentoo Infrastructure gentoo-dev 2017-04-30 20:52:48 UTC
Can we finish the stabilization on this please? If the depends bug is not causing any issues we can stabilize at a future time.
Comment 26 Yury German Gentoo Infrastructure gentoo-dev 2017-05-28 20:58:26 UTC
Any status for hppa (this is a B1 vulnerability)?
Comment 27 Aaron Bauman (RETIRED) gentoo-dev 2017-07-08 03:02:45 UTC
@hppa any issues still here?
Comment 28 Michael Palimaka (kensington) gentoo-dev 2017-08-12 04:35:08 UTC
Cleanup done.
Comment 29 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-08-17 01:16:40 UTC
Arches, please finish stabilizing hppa

Gentoo Security Padawan
ChrisADR
Comment 30 Michael Palimaka (kensington) gentoo-dev 2017-08-17 11:41:58 UTC
(In reply to Christopher Díaz from comment #29)
> Arches, please finish stabilizing hppa
> 
> Gentoo Security Padawan
> ChrisADR

HPPA is no longer a stable arch for this package per https://wiki.gentoo.org/wiki/Project:Quality_Assurance/Policies#Dropping_Stable_KEYWORDs

Vulnerable versions have been cleaned up, security team can proceed.
Comment 31 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-08-17 12:34:04 UTC
Security please add to an existing glsa or file a new one

thanks,

Gentoo Security Padawan
ChrisADR
Comment 32 Yury German Gentoo Infrastructure gentoo-dev 2017-09-10 06:29:48 UTC
New GLSA Request filed.
Comment 33 GLSAMaker/CVETool Bot gentoo-dev 2017-09-17 15:45:09 UTC
This issue was resolved and addressed in
 GLSA 201709-05 at https://security.gentoo.org/glsa/201709-05
by GLSA coordinator Aaron Bauman (b-man).