GIMPS, SETI@home, ChessBrain: Insecure installation
1.
Gentoo Linux Security Advisory
Version Information
| Advisory Reference |
GLSA 200411-26 / GIMPS,SETI@home,ChessBrain |
| Release Date |
November 17, 2004 |
| Latest Revision |
May 22, 2006: 03 |
| Impact |
high |
| Exploitable |
local |
| Package |
Vulnerable versions |
Unaffected versions |
Architecture(s) |
| sci-misc/gimps |
<=
23.9 |
>=
23.9-r1 |
All supported architectures
|
| sci-misc/setiathome |
<=
3.08-r3 |
>=
3.08-r4,
revision >=
3.03-r2 |
All supported architectures
|
| sci-misc/chessbrain |
<=
20407 |
>=
20407-r1 |
All supported architectures
|
Related bugreports:
#69868
Synopsis
Improper file ownership allows user-owned files to be run with root
privileges by init scripts.
2.
Impact Information
Background
GIMPS is a client for the distributed Great Internet Mersenne Prime
Search. SETI@home is the client for the Search for Extraterrestrial
Intelligence (SETI) project. ChessBrain is the client for the
distributed chess supercomputer.
Description
GIMPS, SETI@home and ChessBrain ebuilds install user-owned binaries and
init scripts which are executed with root privileges.
Impact
This could lead to a local privilege escalation or root compromise.
3.
Resolution Information
Workaround
There is no known workaround at this time.
Resolution
All GIMPS users should upgrade to the latest version:
Code Listing 3.1: Resolution |
# emerge --sync
# emerge --ask --oneshot --verbose ">=sci-misc/gimps-23.9-r1"
|
All SETI@home users should upgrade to the latest version:
Code Listing 3.2: Resolution |
# emerge --sync
# emerge --ask --oneshot --verbose ">=sci-misc/setiathome-3.03-r2"
|
All ChessBrain users should upgrade to the latest version:
Code Listing 3.3: Resolution |
# emerge --sync
# emerge --ask --oneshot --verbose ">=sci-misc/chessbrain-20407-r1"
|
4.
References
|
