Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 61797 - app-arch/star suid root vulnerability
Summary: app-arch/star suid root vulnerability
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High normal (vote)
Assignee: Gentoo Security
URL: https://lists.berlios.de/pipermail/st...
Whiteboard: C1 [glsa] jaervosz
Keywords:
Depends on:
Blocks:
 
Reported: 2004-08-26 05:50 UTC by Wolfram Schlich (RETIRED)
Modified: 2011-10-30 22:37 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Wolfram Schlich (RETIRED) gentoo-dev 2004-08-26 05:50:49 UTC 
--8<--
A problem exists for all star versions that
did support to use ssh for remote tape access.

The problem is present in star-1.5a09 ... star-1.5a45

Please upgrade to star-1.5a46
--8<--
The latest version available in portage is app-arch/star-1.5_alpha43.
It should be noted that star currently is not SUID by default.
Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-08-26 06:46:42 UTC 
lostlogic you bumped last time please bump to latest version.

Currently no more info on the issue.
Comment 2 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-08-28 15:31:13 UTC 
Bump compiles fine.
Comment 3 solar (RETIRED) gentoo-dev 2004-08-31 01:31:03 UTC 
ebuild bumped to star-1.5_alpha46 (Runtime needs testing)
Comment 4 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-08-31 01:43:42 UTC 
Arches please test and mark stable.
Comment 5 Gustavo Zacarias (RETIRED) gentoo-dev 2004-08-31 05:43:10 UTC 
Sparc tasty.
Comment 6 Bryan Østergaard (RETIRED) gentoo-dev 2004-08-31 16:24:56 UTC 
Stable on alpha.
Comment 7 Jochen Maes (RETIRED) gentoo-dev 2004-09-01 13:48:55 UTC 
tested and stable on ppc


greetings
Comment 8 Thierry Carrez (RETIRED) gentoo-dev 2004-09-02 01:00:17 UTC 
Reassigning Product/Component as this is not a GLSA error, it's a security bug.
Comment 9 Travis Tilley (RETIRED) gentoo-dev 2004-09-02 01:54:58 UTC 
stable on amd64
Comment 10 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-09-05 03:20:06 UTC 
Local priv escalation.

x86 please mark stable
Comment 11 Tim Yamin (RETIRED) gentoo-dev 2004-09-06 11:03:01 UTC 
Stable on IA64.
Comment 12 Olivier Crete (RETIRED) gentoo-dev 2004-09-07 13:57:09 UTC 
stable on x86
Comment 13 Thierry Carrez (RETIRED) gentoo-dev 2004-09-07 14:00:53 UTC 
GLSA-ready
Comment 14 SpanKY gentoo-dev 2004-09-07 21:36:06 UTC 
hppa stable now
Comment 15 Thierry Carrez (RETIRED) gentoo-dev 2004-09-08 00:54:35 UTC 
GLSA 200409-11
Comment 16 solar (RETIRED) gentoo-dev 2006-05-29 17:23:56 UTC 
The GLSA sent our for this bug has an error

      <unaffected range="ge">star-1.5_alpha46</unaffected>
      <vulnerable range="lt">star-1.5_alpha46</vulnerable>

Should read:

      <unaffected range="ge">1.5_alpha46</unaffected>
      <vulnerable range="lt">1.5_alpha46</vulnerable>

Ref:
http://www.gentoo.org/security/en/glsa/glsa-200409-11.xml?passthru=1
Comment 17 Stefan Cornelius (RETIRED) gentoo-dev 2006-05-30 02:42:12 UTC 
Thanks Kugelfang/solar. Should be fixed in the tree.