Bugtraq mailing list archives
[ GLSA 200509-05 ] Net-SNMP: Insecure RPATH
From: Thierry Carrez <koon () gentoo org>
Date: Tue, 06 Sep 2005 15:50:26 +0200
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200509-05 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Net-SNMP: Insecure RPATH Date: September 06, 2005 Bugs: #103776 ID: 200509-05 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== The Gentoo Net-SNMP package may provide Perl modules containing an insecure DT_RPATH, potentially allowing privilege escalation. Background ========== Net-SNMP is a suite of applications used to implement the Simple Network Management Protocol. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 net-analyzer/net-snmp < 5.2.1.2-r1 >= 5.2.1.2-r1 Description =========== James Cloos reported that Perl modules from the Net-SNMP package look for libraries in an untrusted location. This is due to a flaw in the Gentoo package, and not the Net-SNMP suite. Impact ====== A local attacker (member of the portage group) may be able to create a shared object that would be loaded by the Net-SNMP Perl modules, executing arbitrary code with the privileges of the user invoking the Perl script. Workaround ========== Limit group portage access to trusted users. Resolution ========== All Net-SNMP users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-analyzer/net-snmp-5.2.1.2-r1" Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200509-05.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security () gentoo org or alternatively, you may file a bug at http://bugs.gentoo.org. License ======= Copyright 2005 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.0
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- [ GLSA 200509-05 ] Net-SNMP: Insecure RPATH Thierry Carrez (Sep 06)