develooper Front page | perl.perl5.porters | Postings from June 2012

Fwd: [oss-security] Some notes on CVE's and group privilege dropping

Thread Next
From:
Reini Urban
Date:
June 8, 2012 10:57
Subject:
Fwd: [oss-security] Some notes on CVE's and group privilege dropping
Message ID:
4FD23CE8.10205@cpanel.net
Upcoming group privilege dropping CVE

POSIX and Proc::UID seem to be affected in 5.14.2 at least.
Confirmed on my system.

FW from oss-security:
http://www.openwall.com/lists/oss-security/2012/05/24/6
http://people.redhat.com/sgrubb/security/find-nodrop-groups

“It finds many, many problems dropping supplemental groups. More than I
alone want to fix.”

     dantest@dantest.dan <mailto:dantest@dantest.dan> [~]#
     find-nodrop-groups
     FILE PACKAGE
     /lib/security/pam_console.so pam-0.99.6.2-6.el5_5.2.src.rpm
     /usr/lib/pppd/2.4.4/winbind.so ppp-2.4.4-2.el5.src.rpm
     /usr/lib/pppd/2.4.4/passprompt.so ppp-2.4.4-2.el5.src.rpm
     /usr/lib/tclx8.4/libtclx8.4.so tclx-8.4.0-5.fc6.src.rpm
 
/usr/lib/perl5/site_perl/5.8.8/i386-linux-thread-multi/auto/Proc/UID/UID.sofile
 
/usr/lib/perl5/site_perl/5.8.8/i386-linux-thread-multi/auto/Proc/UID/UID.so
     is not owned by any package

 
/usr/lib/perl5/5.8.8/i386-linux-thread-multi/auto/POSIX/POSIX.soperl-5.8.8-10.src.rpm
     /usr/lib/librpmio-4.4.so rpm-4.4.2.3-20.el5_5.1.src.rpm
     /bin/ksh93 ksh-20100202-1.el5_5.1.src.rpm
     /bin/bash bash-3.2-24.el5.src.rpm
     /bin/tar tar-1.15.1-30.el5.src.rpm
     /bin/cpio cpio-2.6-23.el5_4.1.src.rpm
     /sbin/quotacheck quota-3.13-1.2.5.el5.src.rpm
     /sbin/dhcdbd dhcdbd-2.2-2.el5.src.rpm
     /usr/bin/oldrdist rdist-6.1.5-44.src.rpm
     /usr/bin/lockfile procmail-3.22-17.1.el5.centos.src.rpm
     /usr/bin/clamscan file /usr/bin/clamscan is not owned by any package

     /usr/bin/pinfo pinfo-0.6.9-1.fc6.src.rpm
     /usr/bin/mtools mtools-3.9.10-2.fc6.src.rpm
     /usr/bin/man man-1.6d-1.1.src.rpm
     /usr/sbin/racoon ipsec-tools-0.6.5-14.el5_5.5.src.rpm
     /usr/sbin/setquota quota-3.13-1.2.5.el5.src.rpm
     /usr/sbin/pppd ppp-2.4.4-2.el5.src.rpm
     /usr/sbin/safe_finger tcp_wrappers-7.6-40.7.el5.src.rpm
     /usr/sbin/automount autofs-5.0.1-0.rc2.143.el5_5.6.src.rpm
     /usr/sbin/edquota quota-3.13-1.2.5.el5.src.rpm
     dantest@dantest.dan <mailto:dantest@dantest.dan> [~]#



Thread Next


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About