lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 29 Jan 2007 17:24:31 -0500
From: rPath Update Announcements <>
Subject: rPSA-2007-0020-2 rmake

rPath Security Advisory: 2007-0020-2
Published: 2007-01-25
    2007-01-29 1.0.4 resolves additional similar issue
Products: rPath Linux 1
Rating: Severe
Exposure Level Classification:
    Local Root Deterministic Privilege Escalation
Updated Versions:


    Previous versions of the rmake package do not drop supplemental users
    in the changeroot environment for builds.  This provides malicious
    packages with excess permissions that are configuration-dependent,
    and may allow local users to run arbitrary code as the root user.
    29 January 2007 Update: An audit uncovered one other part of rMake
    that contained a similar issue, enabling local users to provide
    malicious recipes that enable the same type of attack.  rMake 1.0.4
    resolves both issues.

Powered by blists - more mailing lists