Gentoo Logo

SUS: Local root vulnerability

Content:

1.  Gentoo Linux Security Advisory

Version Information

Advisory Reference GLSA 200409-17 / SUS
Release Date September 14, 2004
Latest Revision May 22, 2006: 02
Impact high
Exploitable local
Package Vulnerable versions Unaffected versions Architecture(s)
app-admin/sus < 2.0.2-r1 >= 2.0.2-r1 All supported architectures

Related bugreports: #63927

Synopsis

SUS contains a string format bug that could lead to local privilege escalation.

2.  Impact Information

Background

SUS is a utility that allows regular users to be able to execute certain commands as root.

Description

Leon Juranic found a bug in the logging functionality of SUS that can lead to local privilege escalation. A format string vulnerability exists in the log() function due to an incorrect call to the syslog() function.

Impact

An attacker with local user privileges can potentially exploit this vulnerability to gain root access.

3.  Resolution Information

Workaround

There is no known workaround at this time.

Resolution

All SUS users should upgrade to the latest version:

Code Listing 3.1: Resolution

# emerge sync

# emerge -pv ">=app-admin/sus-2.0.2-r1"
# emerge ">=app-admin/sus-2.0.2-r1"

4.  References

Print

Page updated September 14, 2004

Summary: This is a Gentoo Linux Security Advisory

Security Team
Contact Address

Donate to support our development efforts.

Copyright 2001-2012 Gentoo Foundation, Inc. Questions, Comments? Contact us.