[gentoo-announce] [ GLSA 200510-14 ] Perl, Qt-UnixODBC, CMake: RUNPATH issues - gentoo-announce

From:	Thierry Carrez <koon@g.o>
To:	gentoo-announce@l.g.o
Cc:	bugtraq@×××××××××××××.com, full-disclosure@××××××××××××××.uk, security-alerts@×××××××××××××.com
Subject:	[gentoo-announce] [ GLSA 200510-14 ] Perl, Qt-UnixODBC, CMake: RUNPATH issues
Date:	Mon, 17 Oct 2005 08:25:03
Message-Id:	`43535CDD.6040900@gentoo.org`

1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

2

Gentoo Linux Security Advisory                           GLSA 200510-14

3

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

4

                                            http://security.gentoo.org/

5

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

6

7

  Severity: Low

8

     Title: Perl, Qt-UnixODBC, CMake: RUNPATH issues

9

      Date: October 17, 2005

10

      Bugs: #105719, #105721, #106678

11

        ID: 200510-14

12

13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

14

15

Synopsis

16

========

17

18

Multiple packages suffer from RUNPATH issues that may allow users in

19

the "portage" group to escalate privileges.

20

21

Background

22

==========

23

24

Perl is a stable, cross-platform programming language created by Larry

25

Wall. Qt-UnixODBC is an ODBC library for Qt. CMake is a cross-platform

26

build environment.

27

28

Affected packages

29

=================

30

31

    -------------------------------------------------------------------

32

     Package             /  Vulnerable  /                   Unaffected

33

    -------------------------------------------------------------------

34

  1  dev-lang/perl          < 5.8.7-r1                     >= 5.8.7-r1

35

                                                          *>= 5.8.6-r6

36

  2  dev-db/qt-unixodbc     < 3.3.4-r1                     >= 3.3.4-r1

37

  3  dev-util/cmake         < 2.2.0-r1                     >= 2.2.0-r1

38

                                                          *>= 2.0.6-r1

39

    -------------------------------------------------------------------

40

     3 affected packages on all of their supported architectures.

41

    -------------------------------------------------------------------

42

43

Description

44

===========

45

46

Some packages may introduce insecure paths into the list of directories

47

that are searched for libraries at runtime. Furthermore, packages

48

depending on the MakeMaker Perl module for build configuration may have

49

incorrectly copied the LD_RUN_PATH into the DT_RPATH.

50

51

Impact

52

======

53

54

A local attacker, who is a member of the "portage" group, could create

55

a malicious shared object in the Portage temporary build directory that

56

would be loaded at runtime by a dependent executable, potentially

57

resulting in privilege escalation.

58

59

Workaround

60

==========

61

62

Only grant "portage" group rights to trusted users.

63

64

Resolution

65

==========

66

67

All Perl users should upgrade to the latest version:

68

69

    # emerge --sync

70

    # emerge --ask --oneshot --verbose dev-lang/perl

71

72

All Qt-UnixODBC users should upgrade to the latest version:

73

74

    # emerge --sync

75

    # emerge --ask --oneshot --verbose ">=dev-db/qt-unixodbc-3.3.4-r1"

76

77

All CMake users should upgrade to the latest version:

78

79

    # emerge --sync

80

    # emerge --ask --oneshot --verbose dev-util/cmake

81

82

Availability

83

============

84

85

This GLSA and any updates to it are available for viewing at

86

the Gentoo Security Website:

87

88

  http://security.gentoo.org/glsa/glsa-200510-14.xml

89

90

Concerns?

91

=========

92

93

Security is a primary focus of Gentoo Linux and ensuring the

94

confidentiality and security of our users machines is of utmost

95

importance to us. Any security concerns should be addressed to

96

security@g.o or alternatively, you may file a bug at

97

http://bugs.gentoo.org.

98

99

License

100

=======

101

102

Copyright 2005 Gentoo Foundation, Inc; referenced text

103

belongs to its owner(s).

104

105

The contents of this document are licensed under the

106

Creative Commons - Attribution / Share Alike license.

107

108

http://creativecommons.org/licenses/by-sa/2.0

Gentoo Archives: gentoo-announce

Attachments

1	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2	Gentoo Linux Security Advisory GLSA 200510-14
3	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4	http://security.gentoo.org/
5	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7	Severity: Low
8	Title: Perl, Qt-UnixODBC, CMake: RUNPATH issues
9	Date: October 17, 2005
10	Bugs: #105719, #105721, #106678
11	ID: 200510-14
12
13	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15	Synopsis
16	========
17
18	Multiple packages suffer from RUNPATH issues that may allow users in
19	the "portage" group to escalate privileges.
20
21	Background
22	==========
23
24	Perl is a stable, cross-platform programming language created by Larry
25	Wall. Qt-UnixODBC is an ODBC library for Qt. CMake is a cross-platform
26	build environment.
27
28	Affected packages
29	=================
30
31	-------------------------------------------------------------------
32	Package / Vulnerable / Unaffected
33	-------------------------------------------------------------------
34	1 dev-lang/perl < 5.8.7-r1 >= 5.8.7-r1
35	*>= 5.8.6-r6
36	2 dev-db/qt-unixodbc < 3.3.4-r1 >= 3.3.4-r1
37	3 dev-util/cmake < 2.2.0-r1 >= 2.2.0-r1
38	*>= 2.0.6-r1
39	-------------------------------------------------------------------
40	3 affected packages on all of their supported architectures.
41	-------------------------------------------------------------------
42
43	Description
44	===========
45
46	Some packages may introduce insecure paths into the list of directories
47	that are searched for libraries at runtime. Furthermore, packages
48	depending on the MakeMaker Perl module for build configuration may have
49	incorrectly copied the LD_RUN_PATH into the DT_RPATH.
50
51	Impact
52	======
53
54	A local attacker, who is a member of the "portage" group, could create
55	a malicious shared object in the Portage temporary build directory that
56	would be loaded at runtime by a dependent executable, potentially
57	resulting in privilege escalation.
58
59	Workaround
60	==========
61
62	Only grant "portage" group rights to trusted users.
63
64	Resolution
65	==========
66
67	All Perl users should upgrade to the latest version:
68
69	# emerge --sync
70	# emerge --ask --oneshot --verbose dev-lang/perl
71
72	All Qt-UnixODBC users should upgrade to the latest version:
73
74	# emerge --sync
75	# emerge --ask --oneshot --verbose ">=dev-db/qt-unixodbc-3.3.4-r1"
76
77	All CMake users should upgrade to the latest version:
78
79	# emerge --sync
80	# emerge --ask --oneshot --verbose dev-util/cmake
81
82	Availability
83	============
84
85	This GLSA and any updates to it are available for viewing at
86	the Gentoo Security Website:
87
88	http://security.gentoo.org/glsa/glsa-200510-14.xml
89
90	Concerns?
91	=========
92
93	Security is a primary focus of Gentoo Linux and ensuring the
94	confidentiality and security of our users machines is of utmost
95	importance to us. Any security concerns should be addressed to
96	security@g.o or alternatively, you may file a bug at
97	http://bugs.gentoo.org.
98
99	License
100	=======
101
102	Copyright 2005 Gentoo Foundation, Inc; referenced text
103	belongs to its owner(s).
104
105	The contents of this document are licensed under the
106	Creative Commons - Attribution / Share Alike license.
107
108	http://creativecommons.org/licenses/by-sa/2.0