oss-sec mailing list archives
CVE request: enlightenment sysactions
From: Martin Carpenter <mcarpenter () free fr>
Date: Thu, 30 Jan 2014 23:30:51 +0100
Hi, Red Hat Security suggested I request a CVE here since this potentially effects multiple distros/maintainers. The Enlightenment window manager (enlightenment.org) was found to ship with (a) a setuid root helper that did not effectively sanitize its environment and (b) a weak default configuration. Users in select groups could exploit this to execute arbitrary programs as root. This was fixed upstream in 3 commits each for both e17 and e18 branches, with two new releases shipped shortly after: 0.17.6, Dec 4th 2013: [1], [2], [3] 0.18.0, Dec 21st 2013: [4], [5], [6] Fedora has a bug filed against it at [7] referencing the e18 commits. Thanks, Martin. [1] https://git.enlightenment.org/core/enlightenment.git/commit/?id=ea605237bb64ee09341121461b3d2c0f5dbe832d [2] https://git.enlightenment.org/core/enlightenment.git/commit/?id=126afd0fda493deec8398088e6e928b4d2e5f463 [3] https://git.enlightenment.org/core/enlightenment.git/commit/?id=8cabf2708520539cf25ca0a876f9c044f6d56a77 [4] https://git.enlightenment.org/core/enlightenment.git/commit/?id=9456e88504cb5daddbac3f49373a3a9a8577e27a [5] https://git.enlightenment.org/core/enlightenment.git/commit/?id=666df815cd86a50343859bce36c5cf968c5f38b0 [6] https://git.enlightenment.org/core/enlightenment.git/commit/?id=bb4a21e98656fe2c7d98ba2163e6defe9a630e2b [7] https://bugzilla.redhat.com/show_bug.cgi?id=1059410
Current thread:
- CVE request: enlightenment sysactions Martin Carpenter (Jan 30)
- Re: CVE request: enlightenment sysactions cve-assign (Feb 03)