OpenLDAP and Gauche suffer from RUNPATH issues that may allow users in
the "portage" group to escalate privileges.
Background
==========
OpenLDAP is a suite of LDAP-related application and development tools.
Gauche is an R5RS Scheme interpreter.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-nds/openldap < 2.2.28-r3 >= 2.2.28-r3
*>= 2.1.30-r6
2 dev-lang/gauche < 0.8.6-r1 >= 0.8.6-r1
-------------------------------------------------------------------
2 affected packages on all of their supported architectures.
-------------------------------------------------------------------
Description
===========
Gentoo packaging for OpenLDAP and Gauche may introduce insecure paths
into the list of directories that are searched for libraries at
runtime.
Impact
======
A local attacker, who is a member of the "portage" group, could create
a malicious shared object in the Portage temporary build directory that
would be loaded at runtime by a dependent binary, potentially resulting
in privilege escalation.
Workaround
==========
Only grant "portage" group rights to trusted users.
Resolution
==========
All OpenLDAP users should upgrade to the latest version:
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security (at) gentoo (dot) org [email concealed] or alternatively, you may file a bug at
http://bugs.gentoo.org.
License
=======
Copyright 2005 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.0
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
Gentoo Linux Security Advisory GLSA 200512-07
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Low
Title: OpenLDAP, Gauche: RUNPATH issues
Date: December 15, 2005
Bugs: #105380, #112577
ID: 200512-07
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
OpenLDAP and Gauche suffer from RUNPATH issues that may allow users in
the "portage" group to escalate privileges.
Background
==========
OpenLDAP is a suite of LDAP-related application and development tools.
Gauche is an R5RS Scheme interpreter.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-nds/openldap < 2.2.28-r3 >= 2.2.28-r3
*>= 2.1.30-r6
2 dev-lang/gauche < 0.8.6-r1 >= 0.8.6-r1
-------------------------------------------------------------------
2 affected packages on all of their supported architectures.
-------------------------------------------------------------------
Description
===========
Gentoo packaging for OpenLDAP and Gauche may introduce insecure paths
into the list of directories that are searched for libraries at
runtime.
Impact
======
A local attacker, who is a member of the "portage" group, could create
a malicious shared object in the Portage temporary build directory that
would be loaded at runtime by a dependent binary, potentially resulting
in privilege escalation.
Workaround
==========
Only grant "portage" group rights to trusted users.
Resolution
==========
All OpenLDAP users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose net-nds/openldap
All Gauche users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-lang/gauche-0.8.6-r1"
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-200512-07.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security (at) gentoo (dot) org [email concealed] or alternatively, you may file a bug at
http://bugs.gentoo.org.
License
=======
Copyright 2005 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.0
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFDoV1NvcL1obalX08RAqFOAKCDhP+VaOfP323LLMsX1VFEEzMYYgCfY6LT
wZmYVNd8jtlOd7NAtSDs5Gw=
=Ql6p
-----END PGP SIGNATURE-----
[ reply ]