Gentoo Archives: gentoo-announce

From: Thierry Carrez <koon@g.o>
To: gentoo-announce@l.g.o
Cc: bugtraq@×××××××××××××.com, full-disclosure@××××××××××××××.uk, security-alerts@×××××××××××××.com
Subject: [gentoo-announce] [ GLSA 200509-05 ] Net-SNMP: Insecure RPATH
Date: Tue, 06 Sep 2005 14:15:24
Message-Id: 431D9EA2.2010503@gentoo.org
1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 Gentoo Linux Security Advisory GLSA 200509-05
3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4 http://security.gentoo.org/
5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7 Severity: Normal
8 Title: Net-SNMP: Insecure RPATH
9 Date: September 06, 2005
10 Bugs: #103776
11 ID: 200509-05
12
13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15 Synopsis
16 ========
17
18 The Gentoo Net-SNMP package may provide Perl modules containing an
19 insecure DT_RPATH, potentially allowing privilege escalation.
20
21 Background
22 ==========
23
24 Net-SNMP is a suite of applications used to implement the Simple
25 Network Management Protocol.
26
27 Affected packages
28 =================
29
30 -------------------------------------------------------------------
31 Package / Vulnerable / Unaffected
32 -------------------------------------------------------------------
33 1 net-analyzer/net-snmp < 5.2.1.2-r1 >= 5.2.1.2-r1
34
35 Description
36 ===========
37
38 James Cloos reported that Perl modules from the Net-SNMP package look
39 for libraries in an untrusted location. This is due to a flaw in the
40 Gentoo package, and not the Net-SNMP suite.
41
42 Impact
43 ======
44
45 A local attacker (member of the portage group) may be able to create a
46 shared object that would be loaded by the Net-SNMP Perl modules,
47 executing arbitrary code with the privileges of the user invoking the
48 Perl script.
49
50 Workaround
51 ==========
52
53 Limit group portage access to trusted users.
54
55 Resolution
56 ==========
57
58 All Net-SNMP users should upgrade to the latest version:
59
60 # emerge --sync
61 # emerge --ask --oneshot --verbose ">=net-analyzer/net-snmp-5.2.1.2-r1"
62
63 Availability
64 ============
65
66 This GLSA and any updates to it are available for viewing at
67 the Gentoo Security Website:
68
69 http://security.gentoo.org/glsa/glsa-200509-05.xml
70
71 Concerns?
72 =========
73
74 Security is a primary focus of Gentoo Linux and ensuring the
75 confidentiality and security of our users machines is of utmost
76 importance to us. Any security concerns should be addressed to
77 security@g.o or alternatively, you may file a bug at
78 http://bugs.gentoo.org.
79
80 License
81 =======
82
83 Copyright 2005 Gentoo Foundation, Inc; referenced text
84 belongs to its owner(s).
85
86 The contents of this document are licensed under the
87 Creative Commons - Attribution / Share Alike license.
88
89 http://creativecommons.org/licenses/by-sa/2.0

Attachments

File name MIME type
signature.asc application/pgp-signature