Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 30 Jan 2014 23:30:51 +0100
From: Martin Carpenter <mcarpenter@...e.fr>
To: oss-security@...ts.openwall.com
Subject: CVE request: enlightenment sysactions

Hi,

Red Hat Security suggested I request a CVE here since this potentially
effects multiple distros/maintainers. The Enlightenment window manager
(enlightenment.org) was found to ship with (a) a setuid root helper that
did not effectively sanitize its environment and (b) a weak default
configuration. Users in select groups could exploit this to execute
arbitrary programs as root.

This was fixed upstream in 3 commits each for both e17 and e18 branches,
with two new releases shipped shortly after:
  0.17.6, Dec  4th 2013: [1], [2], [3]
  0.18.0, Dec 21st 2013: [4], [5], [6]

Fedora has a bug filed against it at [7] referencing the e18 commits.

Thanks,

Martin.

[1]
https://git.enlightenment.org/core/enlightenment.git/commit/?id=ea605237bb64ee09341121461b3d2c0f5dbe832d 
[2]
https://git.enlightenment.org/core/enlightenment.git/commit/?id=126afd0fda493deec8398088e6e928b4d2e5f463 
[3]
https://git.enlightenment.org/core/enlightenment.git/commit/?id=8cabf2708520539cf25ca0a876f9c044f6d56a77 
[4]
https://git.enlightenment.org/core/enlightenment.git/commit/?id=9456e88504cb5daddbac3f49373a3a9a8577e27a
[5]
https://git.enlightenment.org/core/enlightenment.git/commit/?id=666df815cd86a50343859bce36c5cf968c5f38b0
[6]
https://git.enlightenment.org/core/enlightenment.git/commit/?id=bb4a21e98656fe2c7d98ba2163e6defe9a630e2b
[7] https://bugzilla.redhat.com/show_bug.cgi?id=1059410



Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ