512356 – (CVE-2014-0476) <app-forensics/chkrootkit-0.50: local privilege escalation (CVE-2014-0476)

Bug 512356 (CVE-2014-0476) - <app-forensics/chkrootkit-0.50: local privilege escalation (CVE-2014-0476)

Summary: <app-forensics/chkrootkit-0.50: local privilege escalation (CVE-2014-0476)

Status:	RESOLVED FIXED

Alias:	CVE-2014-0476

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High major (vote)
Assignee:	Gentoo Security

URL:	https://bugzilla.redhat.com/show_bug....
Whiteboard:	B1 [glsa cve]
Keywords:

Duplicates (3):	512620 516132 529308 (view as bug list)
Depends on:
Blocks:

Reported:	2014-06-04 08:13 UTC by Agostino Sarubbo
Modified:	2019-04-26 02:43 UTC (History)
CC List:	10 users (show)

See Also:
Package list:	=app-forensics/chkrootkit-0.50
Runtime testing required:	---

Flags:	stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Agostino Sarubbo gentoo-dev

2014-06-04 08:13:58 UTC

From ${URL} :

A quoting issue was found in chkrootkit which would lead to a file in /tmp/ being executed, if /tmp/ was mounted without the noexec option. chkrootkit is typically run as the root user. A local attacker could use this flaw to escalate their privileges.

The problematic part was:

file_port=$file_port $i

Which is changed to file_port="$file_port $i" to fix the issue. From the Debian diff:

--- chkrootkit-0.49.orig/debian/patches/CVE-2014-0476.patch
+++ chkrootkit-0.49/debian/patches/CVE-2014-0476.patch
@@ -0,0 +1,13 @@
+Index: chkrootkit/chkrootkit
+===================================================================
+--- chkrootkit.orig/chkrootkit
++++ chkrootkit/chkrootkit
+@@ -117,7 +117,7 @@ slapper (){
+    fi
+    for i in ${SLAPPER_FILES}; do
+       if [ -f ${i} ]; then
+-       file_port=$file_port $i
++       file_port="$file_port $i"
+          STATUS=1
+       fi
+    done



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.

Comment 1 Agostino Sarubbo gentoo-dev

2014-06-07 14:28:03 UTC

*** Bug 512620 has been marked as a duplicate of this bug. ***

Comment 2 Agostino Sarubbo gentoo-dev

2014-06-07 14:28:40 UTC

fixed in 0.50

Comment 3 Sławomir Nizio 2014-09-28 15:15:09 UTC

*If* there is a problem with the version bump, maybe the fix could be backported.

Comment 4 Brian Evans (RETIRED) gentoo-dev

2014-10-31 14:42:03 UTC

*** Bug 516132 has been marked as a duplicate of this bug. ***

Comment 5 GLSAMaker/CVETool Bot gentoo-dev

2015-01-03 20:05:56 UTC

CVE-2014-0476 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0476):
  The slapper function in chkrootkit before 0.50 does not properly quote file
  paths, which allows local users to execute arbitrary code via a Trojan horse
  executable.  NOTE: this is only a vulnerability when /tmp is not mounted
  with the noexec option.

Comment 6 Aaron Bauman (RETIRED) gentoo-dev

2016-03-19 07:35:00 UTC

Time to PMASK...

# Aaron Bauman <bman@gentoo.org> (19 Mar 2016)
# Unpatched security vulnerability per bug #512356.
# Masked for removal in 30 days.
app-forensics/chkrootkit

Comment 7 Nico Baggus 2016-03-19 09:32:17 UTC

eh... there is a 0.50 available that PATCHES this problem..??
(already for a few years)...

Comment 8 Aaron Bauman (RETIRED) gentoo-dev

2016-03-19 09:58:50 UTC

(In reply to Nico Baggus from comment #7)
> eh... there is a 0.50 available that PATCHES this problem..??
> (already for a few years)...

Nico, if you are interested in proxy maintaining[0] please let us know.

[0]: https://wiki.gentoo.org/wiki/Project:Proxy_Maintainers

Comment 9 Michael Weber (RETIRED) gentoo-dev

2016-03-21 11:44:26 UTC

I've bumped the fixed/unaffected 0.50 version, so can you please change the ban to 0.49 only? Thanks

commit ae6d6ffd8eed52b9ee9c484c6674b8e2e1d236ca
Author: Michael Weber <xmw@gentoo.org>
Date:   Mon Mar 21 12:38:27 2016 +0100

    app-forensics/chkrootkit: Version bump (bug 529308, thanks Paolo Pedroni).

Comment 10 Aaron Bauman (RETIRED) gentoo-dev

2016-03-21 11:57:14 UTC

(In reply to Michael Weber from comment #9)
> I've bumped the fixed/unaffected 0.50 version, so can you please change the
> ban to 0.49 only? Thanks
> 
> commit ae6d6ffd8eed52b9ee9c484c6674b8e2e1d236ca
> Author: Michael Weber <xmw@gentoo.org>
> Date:   Mon Mar 21 12:38:27 2016 +0100
> 
>     app-forensics/chkrootkit: Version bump (bug 529308, thanks Paolo
> Pedroni).

Michael, please just remove 0.49 and the PMASK (or I can remove the PMASK).  We can call for a rapid stabilization here from the arches due to the current 0.49 already being stabilized.

Comment 11 Aaron Bauman (RETIRED) gentoo-dev

2016-03-21 12:12:07 UTC

@arches, please stabilize on the following arches:

TARGET KEYWORDS = alpha, amd64, arm, hppa, ia64, ppc, ppc64, s390, sh, sparc, x86

Comment 12 Aaron Bauman (RETIRED) gentoo-dev

2016-03-21 12:13:44 UTC

PMASK adjusted to app-forensics/chkrootkit-0.49

Comment 13 Agostino Sarubbo gentoo-dev

2016-03-22 14:33:11 UTC

amd64 stable

Comment 14 Jeroen Roovers (RETIRED) gentoo-dev

2016-03-25 10:30:32 UTC

*** Bug 529308 has been marked as a duplicate of this bug. ***

Comment 15 Agostino Sarubbo gentoo-dev

2016-03-27 10:16:48 UTC

ppc stable

Comment 16 Markus Meier gentoo-dev

2016-03-30 18:29:31 UTC

arm stable

Comment 17 Agostino Sarubbo gentoo-dev

2016-04-11 10:39:44 UTC

x86 stable

Comment 18 Tobias Klausmann (RETIRED) gentoo-dev

2016-05-20 11:28:11 UTC

Stable on alpha.

Comment 19 Aaron Bauman (RETIRED) gentoo-dev

2016-06-26 14:16:58 UTC

@arches, ping.

Comment 20 Michał Górny archtester

2016-07-07 21:01:04 UTC

(removing arch teams for non-stable arches)

Comment 21 Agostino Sarubbo gentoo-dev

2016-07-08 10:03:35 UTC

sparc stable

Comment 22 Agostino Sarubbo gentoo-dev

2016-09-29 10:35:01 UTC

ppc64 stable

Comment 23 Agostino Sarubbo gentoo-dev

2016-09-29 13:29:02 UTC

ia64 stable

Comment 24 Jeroen Roovers (RETIRED) gentoo-dev

2016-10-01 09:32:01 UTC

(In reply to Aaron Bauman from comment #19)
> @arches, ping.

Bug #578208. I can't believe how people are stabilising this.

Comment 25 Yury German Gentoo Infrastructure

2017-04-30 20:52:48 UTC

Can we finish the stabilization on this please? If the depends bug is not causing any issues we can stabilize at a future time.

Comment 26 Yury German Gentoo Infrastructure

2017-05-28 20:58:26 UTC

Any status for hppa (this is a B1 vulnerability)?

Comment 27 Aaron Bauman (RETIRED) gentoo-dev

2017-07-08 03:02:45 UTC

@hppa any issues still here?

Comment 28 Michael Palimaka (kensington) gentoo-dev

2017-08-12 04:35:08 UTC

Cleanup done.

Comment 29 Christopher Díaz Riveros (RETIRED) gentoo-dev

2017-08-17 01:16:40 UTC

Arches, please finish stabilizing hppa

Gentoo Security Padawan
ChrisADR

Comment 30 Michael Palimaka (kensington) gentoo-dev

2017-08-17 11:41:58 UTC

(In reply to Christopher Díaz from comment #29)
> Arches, please finish stabilizing hppa
> 
> Gentoo Security Padawan
> ChrisADR

HPPA is no longer a stable arch for this package per https://wiki.gentoo.org/wiki/Project:Quality_Assurance/Policies#Dropping_Stable_KEYWORDs

Vulnerable versions have been cleaned up, security team can proceed.

Comment 31 Christopher Díaz Riveros (RETIRED) gentoo-dev

2017-08-17 12:34:04 UTC

Security please add to an existing glsa or file a new one

thanks,

Gentoo Security Padawan
ChrisADR

Comment 32 Yury German Gentoo Infrastructure

2017-09-10 06:29:48 UTC

New GLSA Request filed.

Comment 33 GLSAMaker/CVETool Bot gentoo-dev

2017-09-17 15:45:09 UTC

This issue was resolved and addressed in
 GLSA 201709-05 at https://security.gentoo.org/glsa/201709-05
by GLSA coordinator Aaron Bauman (b-man).