You are here
Home > Preporuke > Ranjivost programskog paketa chkrootkit

Ranjivost programskog paketa chkrootkit

  • Detalji os-a: FED
  • Važnost: IMP
  • Operativni sustavi: L
  • Kategorije: LFE

——————————————————————————–
Fedora Update Notification
FEDORA-2014-7071
2014-06-05 03:32:42
——————————————————————————–

Name : chkrootkit
Product : Fedora 20
Version : 0.49
Release : 9.fc20
URL : http://www.chkrootkit.org
Summary : Tool to locally check for signs of a rootkit
Description :
chkrootkit is a tool to locally check for signs of a rootkit.
It contains:

* chkrootkit: shell script that checks system binaries for
rootkit modification.
* ifpromisc: checks if the network interface is in promiscuous mode.
* chklastlog: checks for lastlog deletions.
* chkwtmp: checks for wtmp deletions.
* chkproc: checks for signs of LKM trojans.
* chkdirs: checks for signs of LKM trojans.
* strings: quick and dirty strings replacement.
* chkutmp: checks for utmp deletions.

——————————————————————————–
Update Information:

A quoting issue was found in chkrootkit which would lead to a file in /tmp/ being executed, if /tmp/ was mounted without the noexec option. chkrootkit is typically run as the root user. A local attacker could use this flaw to escalate their privileges.

The problematic part was:

file_port=$file_port $i

Which is changed to file_port=”$file_port $i” to fix the issue. From the Debian diff:

— chkrootkit-0.49.orig/debian/patches/CVE-2014-0476.patch
+++ chkrootkit-0.49/debian/patches/CVE-2014-0476.patch
@@ -0,0 +1,13 @@
+Index: chkrootkit/chkrootkit
+===================================================================
+— chkrootkit.orig/chkrootkit
++++ chkrootkit/chkrootkit
+@@ -117,7 +117,7 @@ slapper (){
+ fi
+ for i in ${SLAPPER_FILES}; do
+ if [ -f ${i} ]; then
+- file_port=$file_port $i
++ file_port=”$file_port $i”
+ STATUS=1
+ fi
+ done

Acknowledgements:

Red Hat would like to thank Thomas Stangner for reporting this issue.
——————————————————————————–
ChangeLog:

* Wed Jun 4 2014 Jon Ciesla <limburgher@gmail.com> – 0.49-9
– Patch for CVE-2014-0476, BZ 1104456, 11044567.
——————————————————————————–
References:

[ 1 ] Bug #1104456 – CVE-2014-0476 chkrootkit: local privilege escalation [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1104456
[ 2 ] Bug #1104457 – CVE-2014-0476 chkrootkit: local privilege escalation [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1104457
——————————————————————————–

This update can be installed with the “yum” update program. Use
su -c ‘yum update chkrootkit’ at the command line.
For more information, refer to “Managing Software with yum”,
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
——————————————————————————–
_______________________________________________
package-announce mailing list
package-announce@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/package-announce

——————————————————————————–
Fedora Update Notification
FEDORA-2014-7090
2014-06-05 03:33:25
——————————————————————————–

Name : chkrootkit
Product : Fedora 19
Version : 0.49
Release : 9.fc19
URL : http://www.chkrootkit.org
Summary : Tool to locally check for signs of a rootkit
Description :
chkrootkit is a tool to locally check for signs of a rootkit.
It contains:

* chkrootkit: shell script that checks system binaries for
rootkit modification.
* ifpromisc: checks if the network interface is in promiscuous mode.
* chklastlog: checks for lastlog deletions.
* chkwtmp: checks for wtmp deletions.
* chkproc: checks for signs of LKM trojans.
* chkdirs: checks for signs of LKM trojans.
* strings: quick and dirty strings replacement.
* chkutmp: checks for utmp deletions.

——————————————————————————–
Update Information:

A quoting issue was found in chkrootkit which would lead to a file in /tmp/ being executed, if /tmp/ was mounted without the noexec option. chkrootkit is typically run as the root user. A local attacker could use this flaw to escalate their privileges.

The problematic part was:

file_port=$file_port $i

Which is changed to file_port=”$file_port $i” to fix the issue. From the Debian diff:

— chkrootkit-0.49.orig/debian/patches/CVE-2014-0476.patch
+++ chkrootkit-0.49/debian/patches/CVE-2014-0476.patch
@@ -0,0 +1,13 @@
+Index: chkrootkit/chkrootkit
+===================================================================
+— chkrootkit.orig/chkrootkit
++++ chkrootkit/chkrootkit
+@@ -117,7 +117,7 @@ slapper (){
+ fi
+ for i in ${SLAPPER_FILES}; do
+ if [ -f ${i} ]; then
+- file_port=$file_port $i
++ file_port=”$file_port $i”
+ STATUS=1
+ fi
+ done

Acknowledgements:

Red Hat would like to thank Thomas Stangner for reporting this issue.
——————————————————————————–
ChangeLog:

* Wed Jun 4 2014 Jon Ciesla <limburgher@gmail.com> – 0.49-9
– Patch for CVE-2014-0476, BZ 1104456, 11044567.
* Sat Aug 3 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> – 0.49-8
– Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
——————————————————————————–
References:

[ 1 ] Bug #1104456 – CVE-2014-0476 chkrootkit: local privilege escalation [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1104456
[ 2 ] Bug #1104457 – CVE-2014-0476 chkrootkit: local privilege escalation [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1104457
——————————————————————————–

This update can be installed with the “yum” update program. Use
su -c ‘yum update chkrootkit’ at the command line.
For more information, refer to “Managing Software with yum”,
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
——————————————————————————–
_______________________________________________
package-announce mailing list
package-announce@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/package-announce
7e

AutorTomislav Protega
Cert idNCERT-REF-2014-06-0014-ADV
CveCVE-2014-0476
ID izvornikaFEDORA-2014-7071 FEDORA-2014-7090
Proizvodchkrootkit
Izvorhttp://www.redhat.com
Top
More in Preporuke
Sigurnosni propust programskog paketa apt

Otkrivena je nepravilnost u izvođenju provjera autentikacije za izvorne pakete preuzetih pomoću naredbe "apt-get source". Ovaj propust ne zahvaća regularnu...

Close