Home page logo
/

bugtraq logo Bugtraq mailing list archives

[CLSA-2000:340] Conectiva Linux Security Announcement - modutils
From: secure () CONECTIVA COM BR
Date: Wed, 22 Nov 2000 18:46:59 -0200

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- -----------------------------------------------------------------------
CONECTIVA LINUX SECURITY ANNOUNCEMENT
- -----------------------------------------------------------------------

PACKAGE   : modutils
SUMMARY   : Local root exploit in modutils
DATE      : 2000-11-22 18:46:00
ID        : CLSA-2000:340
RELEVANT
RELEASES  : 5.1

- ----------------------------------------------------------------------

DESCRIPTION
 The modutils package contains an utility called modprobe which is
 normally used by the kernel when loading modules on demand.
 In versions higher that 2.1.121, the modprobe utility could be
 tricked into executing commands supplied as a module name. A normal
 user cannot load kernel modules, but he/she can make the kernel at
 least try to load a module with a given name by other means. If, as a
 result, modprobe is called (with root privileges), the commands will
 be executed as root or could at least be interpreted as options for
 the modprobe program.


SOLUTION
 All Conectiva Linux 5.1 users should upgrade immediately. Prior
 versions use modutils 2.1.121 (or earlier) that does not contain this
 vulnerability.


 ACKNOWLEDGEMENTS:
 This problem was found by Sebastian Krahmer and first reported to
 Bugtraq by Michal Zalewski.
 We would like to thank Keith Owens for releasing a new version that
 addresses the security issues.


DIRECT DOWNLOAD LINKS TO THE UPDATED PACKAGES
ftp://atualizacoes.conectiva.com.br/5.1/SRPMS/modutils-2.3.21-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/modutils-2.3.21-1cl.i386.rpm


- ----------------------------------------------------------------------
All packages are signed with Conectiva's GPG key. The key can be
obtained at http://www.conectiva.com.br/contato

- -----------------------------------------------------------------------
All our advisories and generic update instructions can be viewed at
http://www.conectiva.com.br/suporte/atualizacoes

- ----------------------------------------------------------------------
subscribe: atualizacoes-anuncio-subscribe () papaleguas conectiva com br
unsubscribe: atualizacoes-anuncio-unsubscribe () papaleguas conectiva com br
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE6HDDC42jd0JmAcZARAoGYAJ47H59/8fhWPWWznfGsg6FDlQjq6QCgo09B
RvGgasFckp89sYJPNGmL9uQ=
=TnVy
-----END PGP SIGNATURE-----


  By Date           By Thread  

Current thread:
  • [CLSA-2000:340] Conectiva Linux Security Announcement - modutils secure (Nov 25)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault