GLSA
Advocate
Joined: 12 May 2004
Posts: 2663
|
 Posted: Mon Jul 10, 2017 10:26 pm Post subject: [ glsa 201706-01 ] munge |
 |
|
Gentoo Linux Security Advisory
Title: MUNGE: Privilege escalation (GLSA 201706-01)
Severity: high
Exploitable: local
Date: 2017-06-06
Bug(s): #602596
ID: 201706-01
Synopsis
Gentoo's MUNGE ebuilds are vulnerable to privilege escalation due
to improper permissions.
Background
An authentication service for creating and validating credentials.
Affected Packages
Package: sys-auth/munge
Vulnerable: < 0.5.10-r2
Unaffected: >= 0.5.10-r2
Architectures: All supported architectures
Description
It was discovered that Gentoo’s default MUNGE installation suffered
from a privilege escalation vulnerability (munge user to root) due to
improper permissions and a runscript which called chown() on a user
controlled file.
Impact
A local attacker, who either is already MUNGE’s system user or belongs
to MUNGE’s group, could potentially escalate privileges.
Workaround
There is no known workaround at this time.
Resolution
All MUNGE users should upgrade to the latest version: | Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=sys-auth/munge-0.5.10-r2"
|
|
|
News & Announcements
