--=.)TVQAGF'Stt1_8
Content-Transfer-Encoding: 7bit


--------------------------------------------------------------------
GENTOO LINUX SECURITY ANNOUNCEMENT
--------------------------------------------------------------------

PACKAGE        :links
SUMMARY        :local exploit possibility
DATE           :Tue Oct  1 03:47:05 UTC 2002

--------------------------------------------------------------------

OVERVIEW

The /usr/bin/links2 binary installed by links-2* ebuilds have had their
setuid bits set by default if the package was compiled with "svga" in
 USE.


DETAIL

The fact that this can be used in a local root exploit prompted us to
change the default setting.  Now, if the user has "svga" in USE, they
 will
be prompted in the postinstall stages to set the suid bit on
/usr/bin/links2 themselves.  For details please see:

http://bugs.gentoo.org/show_bug.cgi?id=8556

SOLUTION

It is recommended that all Gentoo Linux users who are running
net-www/links-2* update their systems
as follows:

emerge rsync
emerge links
emerge clean

---------------------------------------------------------------------
seemant@gentoo.org
vapier@gentoo.org

-- 
Seemant Kulleen
Developer and Project Co-ordinator,
Gentoo Linux					http://www.gentoo.org/~seemant

Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x225EF866
Key fingerprint = 592A 35F7 09CA FAB4 17B3  6E97 72E6 23CC 225E F866

--=.)TVQAGF'Stt1_8

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE9mRuLcuYjzCJe+GYRAvdEAJ9pGlrvlUEt06hwxmaEnJWqrujBOQCfWn9A
CdYmS7XaIofQXuPsQUJr7tM=
=HUGJ
-----END PGP SIGNATURE-----

--=.)TVQAGF'Stt1_8--
_______________________________________________
gentoo-security mailing list
gentoo-security@gentoo.org
http://lists.gentoo.org/mailman/listinfo/gentoo-security