Login
Newsletter
Werbung

Sicherheit: Unzulässige Änderung von File-Permisions in pppd
Aktuelle Meldungen Distributionen
Name: Unzulässige Änderung von File-Permisions in pppd
ID:
Distribution: Gentoo
Plattformen: Keine Angabe
Datum: Mi, 31. Juli 2002, 13:00
Referenzen: Keine Angabe
Applikationen: ppp

Originalnachricht

-----------------------------------------------------------------------
GLSA: GENTOO LINUX SECURITY ANNOUNCEMENT
-----------------------------------------------------------------------
PACKAGE : ppp -- net dialup/point-to-point protocol
SUMMARY : security vulnerability in symlink creation
DATE : Wed Jul 31 14:29:24 UTC 2002
-----------------------------------------------------------------------

OVERVIEW

A race condition exists in the pppd program that may be exploited
in order to change the permissions of an arbitrary file.

DETAIL

>From the FreeBSD report:

The file specified as the tty device is opened by pppd, and the
permissions are recorded. If pppd fails to initialize the tty device in
some way (such as a failure of tcgetattr(3)), then pppd will then attempt
to restore the original permissions by calling chmod(2). The call to
chmod(2) is subject to a symlink race, so that the permissions may
`restored' on some other file.

The full advisory may be found here:
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02%3A32.pppd.asc

SOLUTION

It is recommended that all Gentoo Linux users who are running
net-dialup/ppp-2.4.1-r9 and earlier update their systems as follows.

emerge rsync
emerge ppp

------------------------------------------------------------------------
aliz@gentoo.org
seemant@gentoo.org
drobbins@gentoo.org
------------------------------------------------------------------------


--
Seemant Kulleen
Developer and Project Co-ordinator,
Gentoo Linux http://www.gentoo.org/~seemant
_______________________________________________
gentoo-announce mailing list
gentoo-announce@gentoo.org
http://lists.gentoo.org/mailman/listinfo/gentoo-announce
_______________________________________________
gentoo-security mailing list
gentoo-security@gentoo.org
http://lists.gentoo.org/mailman/listinfo/gentoo-security
Pro-Linux
Pro-Linux @Twitter
Neue Nachrichten
Werbung