[gentoo-announce] [ GLSA 200511-02 ] QDBM, ImageMagick, GDAL: RUNPATH issues - gentoo-announce

From:	Thierry Carrez <koon@g.o>
To:	gentoo-announce@l.g.o
Cc:	bugtraq@×××××××××××××.com, full-disclosure@××××××××××××××.uk, security-alerts@×××××××××××××.com
Subject:	[gentoo-announce] [ GLSA 200511-02 ] QDBM, ImageMagick, GDAL: RUNPATH issues
Date:	Wed, 02 Nov 2005 17:25:03
Message-Id:	`4368F139.9000204@gentoo.org`

1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

2

Gentoo Linux Security Advisory                           GLSA 200511-02

3

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

4

                                            http://security.gentoo.org/

5

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

6

7

  Severity: Low

8

     Title: QDBM, ImageMagick, GDAL: RUNPATH issues

9

      Date: November 02, 2005

10

      Bugs: #105717, #105760, #108534

11

        ID: 200511-02

12

13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

14

15

Synopsis

16

========

17

18

Multiple packages suffer from RUNPATH issues that may allow users in

19

the "portage" group to escalate privileges.

20

21

Background

22

==========

23

24

QDBM is a library of routines for managing a database. ImageMagick is a

25

collection of tools to read, write and manipulate images. GDAL is a

26

geospatial data abstraction library.

27

28

Affected packages

29

=================

30

31

    -------------------------------------------------------------------

32

     Package                /   Vulnerable   /              Unaffected

33

    -------------------------------------------------------------------

34

  1  dev-db/qdbm                < 1.8.33-r2               >= 1.8.33-r2

35

  2  media-gfx/imagemagick     < 6.2.4.2-r1              >= 6.2.4.2-r1

36

  3  sci-libs/gdal              < 1.3.0-r1                 >= 1.3.0-r1

37

                                                          *>= 1.2.6-r4

38

    -------------------------------------------------------------------

39

     3 affected packages on all of their supported architectures.

40

    -------------------------------------------------------------------

41

42

Description

43

===========

44

45

Some packages may introduce insecure paths into the list of directories

46

that are searched for libraries at runtime. Furthermore, packages

47

depending on the MakeMaker Perl module for build configuration may have

48

incorrectly copied the LD_RUN_PATH into the DT_RPATH.

49

50

Impact

51

======

52

53

A local attacker, who is a member of the "portage" group, could create

54

a malicious shared object in the Portage temporary build directory that

55

would be loaded at runtime by a dependent executable, potentially

56

resulting in privilege escalation.

57

58

Workaround

59

==========

60

61

Only grant "portage" group rights to trusted users.

62

63

Resolution

64

==========

65

66

All QDBM users should upgrade to the latest version:

67

68

    # emerge --sync

69

    # emerge --ask --oneshot --verbose ">=dev-db/qdbm-1.8.33-r2"

70

71

All ImageMagick users should upgrade to the latest version:

72

73

    # emerge --sync

74

    # emerge --ask --oneshot --verbose ">=media-gfx/imagemagick-6.2.4.2-r1"

75

76

All GDAL users should upgrade to the latest version:

77

78

    # emerge --sync

79

    # emerge --ask --oneshot --verbose sci-libs/gdal

80

81

Availability

82

============

83

84

This GLSA and any updates to it are available for viewing at

85

the Gentoo Security Website:

86

87

  http://security.gentoo.org/glsa/glsa-200511-02.xml

88

89

Concerns?

90

=========

91

92

Security is a primary focus of Gentoo Linux and ensuring the

93

confidentiality and security of our users machines is of utmost

94

importance to us. Any security concerns should be addressed to

95

security@g.o or alternatively, you may file a bug at

96

http://bugs.gentoo.org.

97

98

License

99

=======

100

101

Copyright 2005 Gentoo Foundation, Inc; referenced text

102

belongs to its owner(s).

103

104

The contents of this document are licensed under the

105

Creative Commons - Attribution / Share Alike license.

106

107

http://creativecommons.org/licenses/by-sa/2.0

Gentoo Archives: gentoo-announce

Attachments

1	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2	Gentoo Linux Security Advisory GLSA 200511-02
3	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4	http://security.gentoo.org/
5	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7	Severity: Low
8	Title: QDBM, ImageMagick, GDAL: RUNPATH issues
9	Date: November 02, 2005
10	Bugs: #105717, #105760, #108534
11	ID: 200511-02
12
13	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15	Synopsis
16	========
17
18	Multiple packages suffer from RUNPATH issues that may allow users in
19	the "portage" group to escalate privileges.
20
21	Background
22	==========
23
24	QDBM is a library of routines for managing a database. ImageMagick is a
25	collection of tools to read, write and manipulate images. GDAL is a
26	geospatial data abstraction library.
27
28	Affected packages
29	=================
30
31	-------------------------------------------------------------------
32	Package / Vulnerable / Unaffected
33	-------------------------------------------------------------------
34	1 dev-db/qdbm < 1.8.33-r2 >= 1.8.33-r2
35	2 media-gfx/imagemagick < 6.2.4.2-r1 >= 6.2.4.2-r1
36	3 sci-libs/gdal < 1.3.0-r1 >= 1.3.0-r1
37	*>= 1.2.6-r4
38	-------------------------------------------------------------------
39	3 affected packages on all of their supported architectures.
40	-------------------------------------------------------------------
41
42	Description
43	===========
44
45	Some packages may introduce insecure paths into the list of directories
46	that are searched for libraries at runtime. Furthermore, packages
47	depending on the MakeMaker Perl module for build configuration may have
48	incorrectly copied the LD_RUN_PATH into the DT_RPATH.
49
50	Impact
51	======
52
53	A local attacker, who is a member of the "portage" group, could create
54	a malicious shared object in the Portage temporary build directory that
55	would be loaded at runtime by a dependent executable, potentially
56	resulting in privilege escalation.
57
58	Workaround
59	==========
60
61	Only grant "portage" group rights to trusted users.
62
63	Resolution
64	==========
65
66	All QDBM users should upgrade to the latest version:
67
68	# emerge --sync
69	# emerge --ask --oneshot --verbose ">=dev-db/qdbm-1.8.33-r2"
70
71	All ImageMagick users should upgrade to the latest version:
72
73	# emerge --sync
74	# emerge --ask --oneshot --verbose ">=media-gfx/imagemagick-6.2.4.2-r1"
75
76	All GDAL users should upgrade to the latest version:
77
78	# emerge --sync
79	# emerge --ask --oneshot --verbose sci-libs/gdal
80
81	Availability
82	============
83
84	This GLSA and any updates to it are available for viewing at
85	the Gentoo Security Website:
86
87	http://security.gentoo.org/glsa/glsa-200511-02.xml
88
89	Concerns?
90	=========
91
92	Security is a primary focus of Gentoo Linux and ensuring the
93	confidentiality and security of our users machines is of utmost
94	importance to us. Any security concerns should be addressed to
95	security@g.o or alternatively, you may file a bug at
96	http://bugs.gentoo.org.
97
98	License
99	=======
100
101	Copyright 2005 Gentoo Foundation, Inc; referenced text
102	belongs to its owner(s).
103
104	The contents of this document are licensed under the
105	Creative Commons - Attribution / Share Alike license.
106
107	http://creativecommons.org/licenses/by-sa/2.0