[ast-developers] Fwd: [oss-security] Some notes on CVE's and group privilege dropping

[Irek Szczesniak]

FYI, this just came through the perl5-port...@perl.org list. I'm not
sure if ksh93 is affected or even near a tangent of this CVE.

Irek

---------- Forwarded message ----------
From: Reini Urban <re...@cpanel.net>
Date: Fri, Jun 8, 2012 at 7:56 PM
Subject: Fwd: [oss-security] Some notes on CVE's and group privilege dropping
To: perl5-port...@perl.org


Upcoming group privilege dropping CVE

POSIX and Proc::UID seem to be affected in 5.14.2 at least.
Confirmed on my system.

FW from oss-security:
http://www.openwall.com/lists/oss-security/2012/05/24/6
http://people.redhat.com/sgrubb/security/find-nodrop-groups

“It finds many, many problems dropping supplemental groups. More than I
alone want to fix.”

   dant...@dantest.dan <mailto:dant...@dantest.dan> [~]#
   find-nodrop-groups
   FILE PACKAGE
   /lib/security/pam_console.so pam-0.99.6.2-6.el5_5.2.src.rpm
   /usr/lib/pppd/2.4.4/winbind.so ppp-2.4.4-2.el5.src.rpm
   /usr/lib/pppd/2.4.4/passprompt.so ppp-2.4.4-2.el5.src.rpm
   /usr/lib/tclx8.4/libtclx8.4.so tclx-8.4.0-5.fc6.src.rpm

/usr/lib/perl5/site_perl/5.8.8/i386-linux-thread-multi/auto/Proc/UID/UID.sofile

/usr/lib/perl5/site_perl/5.8.8/i386-linux-thread-multi/auto/Proc/UID/UID.so
   is not owned by any package


/usr/lib/perl5/5.8.8/i386-linux-thread-multi/auto/POSIX/POSIX.soperl-5.8.8-10.src.rpm
   /usr/lib/librpmio-4.4.so rpm-4.4.2.3-20.el5_5.1.src.rpm
   /bin/ksh93 ksh-20100202-1.el5_5.1.src.rpm
   /bin/bash bash-3.2-24.el5.src.rpm
   /bin/tar tar-1.15.1-30.el5.src.rpm
   /bin/cpio cpio-2.6-23.el5_4.1.src.rpm
   /sbin/quotacheck quota-3.13-1.2.5.el5.src.rpm
   /sbin/dhcdbd dhcdbd-2.2-2.el5.src.rpm
   /usr/bin/oldrdist rdist-6.1.5-44.src.rpm
   /usr/bin/lockfile procmail-3.22-17.1.el5.centos.src.rpm
   /usr/bin/clamscan file /usr/bin/clamscan is not owned by any package

   /usr/bin/pinfo pinfo-0.6.9-1.fc6.src.rpm
   /usr/bin/mtools mtools-3.9.10-2.fc6.src.rpm
   /usr/bin/man man-1.6d-1.1.src.rpm
   /usr/sbin/racoon ipsec-tools-0.6.5-14.el5_5.5.src.rpm
   /usr/sbin/setquota quota-3.13-1.2.5.el5.src.rpm
   /usr/sbin/pppd ppp-2.4.4-2.el5.src.rpm
   /usr/sbin/safe_finger tcp_wrappers-7.6-40.7.el5.src.rpm
   /usr/sbin/automount autofs-5.0.1-0.rc2.143.el5_5.6.src.rpm
   /usr/sbin/edquota quota-3.13-1.2.5.el5.src.rpm
   dant...@dantest.dan <mailto:dant...@dantest.dan> [~]#

_______________________________________________
ast-developers mailing list
ast-developers@research.att.com
https://mailman.research.att.com/mailman/listinfo/ast-developers