Bug#584257: rpm -- Fails to remove the SUID/SGID bits on package updates

Wed, 02 Jun 2010 10:54:18 -0700 

Package: rpm
Version: 4.7.2-1+b2
Severity: important

Hi,
the following security issue was reported on the oss-security mailing
list. We don't need to fix this in stable, but a fix for Squeeze might
still be appropriate.

Cheers,
        Moritz

Date: Wed, 02 Jun 2010 13:43:03 +0200
From: Jan Lieskovsky <[email protected]>
Subject: [oss-security] CVE Request -- rpm -- Fails to remove the SUID/SGID 
bits on package
        upgrade (RH BZ#598775)

Hi Steve, vendors,

   Matt McCutchen pointed out a deficiency in the way rpm handled rpm package 
upgrades --
it failed to clear out the SUID/SGID bits of the old file by file replacement 
when privileged
user performed package upgrade. Under certain circumstances, a local, 
authenticated user could
use this flaw to escalate their privileges.

Red Hat Bugzilla entry:
  [1] https://bugzilla.redhat.com/show_bug.cgi?id=598775

Upstream changeset:
  [2] 
http://rpm.org/gitweb?p=rpm.git;a=commit;h=ca2d6b2b484f1501eafdde02e1688409340d2383

Could you allocate CVE id for this?

Thanks && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team




-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 2.6.32-5-686 (SMP w/1 CPU core)
Locale: LANG=C, lc_ctype=de_de.iso-8859...@euro (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash

Versions of packages rpm depends on:
ii  debconf [debconf-2.0]   1.5.32           Debian configuration management sy
ii  libc6                   2.10.2-9         Embedded GNU C Library: Shared lib
ii  libelf1                 0.146-1          library to read and write ELF file
ii  libnss3-1d              3.12.6-2         Network Security Service libraries
ii  libpopt0                1.16-1           lib for parsing cmdline parameters
ii  librpm0                 4.7.2-1+b2       RPM shared library
ii  librpmbuild0            4.7.2-1+b2       RPM build shared library
ii  librpmio0               4.7.2-1+b2       RPM IO shared library
ii  perl                    5.10.1-12        Larry Wall's Practical Extraction 
ii  rpm-common              4.7.2-1          common files for RPM
ii  rpm2cpio                4.7.2-1+b2       tool to convert RPM package to CPI
ii  zlib1g                  1:1.2.3.4.dfsg-3 compression library - runtime

rpm recommends no packages.

Versions of packages rpm suggests:
pn  alien                         <none>     (no description available)
ii  elfutils                      0.146-1    collection of utilities to handle 
pn  rpm-i18n                      <none>     (no description available)

-- debconf information:
* rpm/upgrade-failed:



-- 
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]

Reply via email to