Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 385321 (CVE-2011-2709) - <net-libs/libgssglue-0.4: Privilege Escalation Vulnerability (CVE-2011-2709)
Summary: <net-libs/libgssglue-0.4: Privilege Escalation Vulnerability (CVE-2011-2709)
Alias: CVE-2011-2709
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
Whiteboard: B1 [glsa]
Depends on:
Reported: 2011-10-02 05:38 UTC by Tim Sammut (RETIRED)
Modified: 2012-09-28 01:04 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Tim Sammut (RETIRED) gentoo-dev 2011-10-02 05:38:58 UTC
From the Red Hat bug at

It was found that libgssapi and libgssglue GSSAPI interface exporting libraries
did not properly sanitize content of user-provided configuration file,
determining which GSS mechanisms and their definitions will be loaded during
library initialization. A local attacker, allowed to mount a network file
system (NFS) share could use this flaw to execute arbitrary code with the
privileges of the the privileged system user (root).

There appears to be a patch at:
Comment 1 Samuli Suominen (RETIRED) gentoo-dev 2012-08-23 10:25:35 UTC
according to...

...this is fixed with version 0.4 which is now in Portage

arches, please test and stabilize it (beware, this was non-maintainer commit):
Comment 2 Agostino Sarubbo gentoo-dev 2012-08-24 12:31:08 UTC
amd64 stable
Comment 3 Jeroen Roovers (RETIRED) gentoo-dev 2012-08-24 14:09:55 UTC
Stable for HPPA.
Comment 4 Michael Weber (RETIRED) gentoo-dev 2012-08-26 10:09:14 UTC
ppc stable.
Comment 5 Andreas Schürch gentoo-dev 2012-08-30 06:35:13 UTC
x86 stable.
Comment 6 Anthony Basile gentoo-dev 2012-09-05 20:35:09 UTC
Stable arm
Comment 7 Anthony Basile gentoo-dev 2012-09-06 12:03:19 UTC
Stable ppc64
Comment 8 Raúl Porcel (RETIRED) gentoo-dev 2012-09-09 11:28:49 UTC
alpha/ia64/s390/sh/sparc stable
Comment 9 Sean Amoss (RETIRED) gentoo-dev Security 2012-09-09 12:26:36 UTC
Thanks, everyone. 

GLSA draft ready for review.
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2012-09-28 01:04:59 UTC
This issue was resolved and addressed in
 GLSA 201209-22 at
by GLSA coordinator Sean Amoss (ackle).