GNU userv Service Program Environment Corruption Vulnerability

userv is a facility that allows one program to invoke another (the Service Program) where only limited trust exists between the two.

Under certain conditions, a malicious user could corrupt the USERV_GIDS and USERV_GROUPS environment variables passed to a userv child process.

Before a Service Program is exec'd by a userv child process, these variables are used to make access control decisions. If USERV_GIDS and USERV_GROUPS are corrupted, the Service Program could be made to carry out otherwise unauthorized actions.


 

Privacy Statement
Copyright 2010, SecurityFocus