Re: CVE request: two vulnerabilities in ktsuss 1.4 and earlier

[Josh Bressers <bressers () redhat com>]

----- Original Message -----
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> I reported these bugs privately to the Debian security team and the
> upstream author some time ago, but it does not appear that any CVE was
> created as a result.
>
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=626178
>
> The 1.3 and 1.4 versions of ktsuss which include a setuid ktsuss binary
> suffered from two separate security bugs which can be used for local root
> exploits.
>
> The "1.314" version which does not include a setuid ktsuss binary and
> uses "su" for privilege escalation does not suffer from these problems.
>
>
> 1) When the target UID is the same as the real UID ktsuss skips
> authentication. Under these circumstances, ktsuss fails to change the
> effective UID back to the real UID. (line 118 of src/ktsuss.c in version
> 1.3.)
>
> $ ktsuss -u `whoami` whoami
> root

Use CVE-2011-2921 for the above issue.

> 2) The setuid ktsuss binary executes a GTK interface subprocess to prompt
> for username and password. This GTK interface runs as root and allows
> arbitrary code execution via the GTK_MODULES environmental variable.

Use CVE-2011-2922 for this issue.

Thanks.

-- 
    JB