The following updates has been released for Gentoo Linux:
GLSA 201709-09 : Subversion: Arbitrary code execution
GLSA 201709-10 : Git: Command injection
GLSA 201709-11 : GIMPS: Root privilege escalation
GLSA 201709-12 : Perl: Race condition vulnerability
GLSA 201709-13 : SquirrelMail: Remote Code Execution
GLSA 201709-14 : cURL: Multiple vulnerabilities
GLSA 201709-09 : Subversion: Arbitrary code execution
GLSA 201709-10 : Git: Command injection
GLSA 201709-11 : GIMPS: Root privilege escalation
GLSA 201709-12 : Perl: Race condition vulnerability
GLSA 201709-13 : SquirrelMail: Remote Code Execution
GLSA 201709-14 : cURL: Multiple vulnerabilities
GLSA 201709-09 : Subversion: Arbitrary code execution
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201709-09
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: Subversion: Arbitrary code execution
Date: September 17, 2017
Bugs: #627480
ID: 201709-09
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
A command injection vulnerability in Subversion may allow remote
attackers to execute arbitrary code.
Background
==========
Subversion is a version control system intended to eventually replace
CVS. Like CVS, it has an optional client-server architecture (where the
server can be an Apache server running mod_svn, or an ssh program as in
CVS’s :ext: method). In addition to supporting the features found in
CVS, Subversion also provides support for moving and copying files and
directories.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 dev-vcs/subversion < 1.9.7 >= 1.9.7
*> 1.8.18
Description
===========
Specially crafted 'ssh://...' URLs may allow the owner of the
repository to execute arbitrary commands on client's machine if those
commands are already installed on the client's system. This is
especially dangerous when the third-party repository has one or more
submodules with specially crafted 'ssh://...' URLs. Each time the
repository is recursively cloned or submodules are updated the payload
will be triggered.
Impact
======
A remote attacker, by enticing a user to clone a specially crafted
repository, could possibly execute arbitrary code with the privileges
of the process.
Workaround
==========
There are several alternative ways to fix this vulnerability. Please
refer to Subversion Team Announce for more details.
Resolution
==========
All Subversion 1.9.x users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-vcs/subversion-1.9.7"
All Subversion 1.8.x users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-vcs/subversion-1.8.18"
References
==========
[ 1 ] CVE-2017-9800
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9800
[ 2 ] Subversion Team Announce
https://subversion.apache.org/security/CVE-2017-9800-advisory.txt
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/201709-09
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2017 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
GLSA 201709-10 : Git: Command injection
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201709-10
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: Git: Command injection
Date: September 17, 2017
Bugs: #627488
ID: 201709-10
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
A command injection vulnerability in Git may allow remote attackers to
execute arbitrary code.
Background
==========
Git is a small and fast distributed version control system designed to
handle small and large projects.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 dev-vcs/git < 2.13.5 >= 2.13.5
Description
===========
Specially crafted 'ssh://...' URLs may allow the owner of the
repository to execute arbitrary commands on client's machine if those
commands are already installed on the client's system. This is
especially dangerous when the third-party repository has one or more
submodules with specially crafted 'ssh://...' URLs. Each time the
repository is recursively cloned or submodules are updated the payload
will be triggered.
Impact
======
A remote attacker, by enticing a user to clone a specially crafted
repository, could possibly execute arbitrary code with the privileges
of the process.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Git users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-vcs/git-2.13.5"
References
==========
[ 1 ] CVE-2017-1000117
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-1000117
[ 2 ] Mailing list ARChives (MARC) Git Team Announce
https://marc.info/?l=git&m=150238802328673&w=2
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/201709-10
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2017 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
GLSA 201709-11 : GIMPS: Root privilege escalation
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201709-11
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: High
Title: GIMPS: Root privilege escalation
Date: September 17, 2017
Bugs: #603408
ID: 201709-11
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Gentoo's GIMPS ebuilds are vulnerable to privilege escalation due to
improper permissions. A local attacker could use it to gain root
privileges.
Background
==========
GIMPS, the Great Internet Mersenne Prime Search, is a software capable
of find Mersenne Primes, which are used in cryptography. GIMPS is also
used for hardware testing.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 sci-mathematics/gimps < 28.10-r1 >= 28.10-r1
Description
===========
It was discovered that Gentoo’s default GIMPS installation suffered
from a privilege escalation vulnerability in the init script. This
script calls an unsafe "chown -R" command in checkconfig() function.
Impact
======
A local attacker who does not belong to the root group, but has the
ability to modify the /var/lib/gimps directory can escalate privileges
to the root group.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All GIMPS users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=sci-mathematics/gimps-28.10-r1"
References
==========
[ 1 ] CVE-2017-14484
https://nvd.nist.gov/vuln/detail/CVE-2017-14484
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/201709-11
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2017 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
GLSA 201709-12 : Perl: Race condition vulnerability
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201709-12
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: Perl: Race condition vulnerability
Date: September 17, 2017
Bugs: #620304
ID: 201709-12
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
A vulnerability in module File::Path for Perl allows local attackers to
set arbitrary mode values on arbitrary files bypassing security
restrictions.
Background
==========
File::Path module provides a convenient way to create directories of
arbitrary depth and to delete an entire directory subtree from the
filesystem.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 dev-lang/perl < 5.24.1-r2 >= 5.24.1-r2
2 perl-core/File-Path < 2.130.0 >= 2.130.0
3 virtual/perl-File-Path < 2.130.0 >= 2.130.0
-------------------------------------------------------------------
3 affected packages
Description
===========
A race condition occurs within concurrent environments. This condition
was discovered by The cPanel Security Team in the rmtree and
remove_tree functions in the File-Path module before 2.13 for Perl.
This is due to the time-of-check-to-time-of-use (TOCTOU) race
condition between the stat() that decides the inode is a directory and
the chmod() that tries to make it user-rwx.
Impact
======
A local attacker could exploit this condition to set arbitrary mode
values on arbitrary files and hence bypass security restrictions.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Perl users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-lang/perl-5.24.1-r2"
All File-Path users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=perl-core/File-Path-2.130.0"
All Perl-File-Path users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=virtual/perl-File-Path-2.130.0"
References
==========
[ 1 ] CVE-2017-6512
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6512
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/201709-12
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2017 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
GLSA 201709-13 : SquirrelMail: Remote Code Execution
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201709-13
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: SquirrelMail: Remote Code Execution
Date: September 17, 2017
Bugs: #616700
ID: 201709-13
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
A vulnerability in SquirrelMail might allow remote attackers to execute
arbitrary code.
Background
==========
SquirrelMail is a webmail package written in PHP. It supports IMAP and
SMTP and can optionally be installed with SQL support.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 mail-client/squirrelmail
< 1.4.23_pre20140426 Vulnerable!
-------------------------------------------------------------------
NOTE: Certain packages are still vulnerable. Users should migrate
to another package if one is available or wait for the
existing packages to be marked stable by their
architecture maintainers.
Description
===========
It was discovered that the sendmail.cf file is mishandled in a popen
call.
Impact
======
A remote attacker, by enticing a user to open an e-mail attachment,
could execute arbitrary shell commands.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
Gentoo has discontinued support for SquirrelMail and recommends that
users unmerge the package:
# emerge --unmerge "mail-client/squirrelmail"
References
==========
[ 1 ] CVE-2017-7692
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7692
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/201709-13
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2017 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
GLSA 201709-14 : cURL: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201709-14
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: cURL: Multiple vulnerabilities
Date: September 17, 2017
Bugs: #615870, #615994, #626776
ID: 201709-14
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities have been found in cURL, the worst of which
may allow attackers to bypass intended restrictions.
Background
==========
cURL is a tool and libcurl is a library for transferring data with URL
syntax.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-misc/curl < 7.55.1 >= 7.55.1
Description
===========
Multiple vulnerabilities have been discovered in cURL. Please review
the CVE identifiers referenced below for details.
Impact
======
Remote attackers could cause a Denial of Service condition, obtain
sensitive information, or bypass intended restrictions for TLS
sessions.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All cURL users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-misc/curl-7.55.1"
References
==========
[ 1 ] CVE-2017-1000099
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-1000099
[ 2 ] CVE-2017-1000100
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-1000100
[ 3 ] CVE-2017-1000101
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-1000101
[ 4 ] CVE-2017-7407
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7407
[ 5 ] CVE-2017-7468
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7468
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/201709-14
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2017 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5