drucken bookmarks versenden konfigurieren admin pdf Sicherheit: Ausführen von Code mit höheren Privilegien in GIMPS
Name: |
Ausführen von Code mit höheren Privilegien in GIMPS |
|
ID: |
201709-11 |
|
Distribution: |
Gentoo |
|
Plattformen: |
Keine Angabe |
|
Datum: |
Mo, 18. September 2017, 08:06 |
|
Referenzen: |
https://nvd.nist.gov/vuln/detail/CVE-2017-14484 |
|
Applikationen: |
GIMPS |
|
Originalnachricht |
--nextPart1888950.zxBAqhCeO Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="UTF-8"
=2D - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201709-11 =2D - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ =2D - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: High Title: GIMPS: Root privilege escalation Date: September 17, 2017 Bugs: #603408 ID: 201709-11
=2D - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis =3D=3D=3D=3D=3D=3D=3D=3D
Gentoo's GIMPS ebuilds are vulnerable to privilege escalation due to improper permissions. A local attacker could use it to gain root privileges.
Background =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
GIMPS, the Great Internet Mersenne Prime Search, is a software capable of find Mersenne Primes, which are used in cryptography. GIMPS is also used for hardware testing.
Affected packages =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 sci-mathematics/gimps < 28.10-r1 >=3D 28.10-r1=20
Description =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
It was discovered that Gentoo=E2=80=99s default GIMPS installation suffered from a privilege escalation vulnerability in the init script. This script calls an unsafe "chown -R" command in checkconfig() function.
Impact =3D=3D=3D=3D=3D=3D
A local attacker who does not belong to the root group, but has the ability to modify the /var/lib/gimps directory can escalate privileges to the root group.
Workaround =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
There is no known workaround at this time.
Resolution =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
All GIMPS users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=3Dsci-mathematics/gimps-28.10-r1"
References =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
[ 1 ] CVE-2017-14484 https://nvd.nist.gov/vuln/detail/CVE-2017-14484
Availability =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
This GLSA and any updates to it are available for viewing at the Gentoo Security Website:
https://security.gentoo.org/glsa/201709-11
Concerns? =3D=3D=3D=3D=3D=3D=3D=3D=3D
Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org.
License =3D=3D=3D=3D=3D=3D=3D
Copyright 2017 Gentoo Foundation, Inc; referenced text belongs to its owner(s).
The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5 --nextPart1888950.zxBAqhCeOL Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part. Content-Transfer-Encoding: 7Bit
-----BEGIN PGP SIGNATURE-----
iQEzBAABCAAdFiEEiDRK3jyVBE/RkymqpRQw84X1dt0FAlm+x5IACgkQpRQw84X1 dt3fPQf7Bs8Et9CC4LwEMyd6unzOVppEQ/wph+oIoRv34FOOwNmCmghQ2bfYMZ9v 01xs+HfAlV436dLwpHhHDvx+e2Nv37jcf4v3g2enGtX8XU5OMB6Pb0RdUCSWcdHl /mwOxSIxW3XqJjiLd1AU9OPSIwV+tSlN9t5+6NZ3ZL/XNlNxb+yXthfihA50aaeJ OwwUR1Lp2pkE0ztdC3fPQaVq5FjvfX1LmGjPG2xVrVuqhbZDHyNv9UenkGnz2t1o 6XPy1OZvb6KN6viEcDZ8a1Z3qCv0j5KLIP5dAvFlnQO3ywVqlTXJIniuVE87Vj67 /c1BRn6vzdietrVR+MUvnW7JlKX1FA== =rq0r -----END PGP SIGNATURE-----
--nextPart1888950.zxBAqhCeOL--
|
|
|
|