CVE-2011-2467: likewise-open local privilege escalation
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
likewise-open (Ubuntu) |
Fix Released
|
Medium
|
Steve Beattie |
Bug Description
A SQL injection issue has been identified that could allow an attacker to craft a query that would result in local elevation of privileges. More details are in the attached file LWSA-2011-002.txt.
A public announcement is planned for July 12, 2011 but that could change.
This affects Likewise Open 5.4 (in Ubuntu 10.04, 10.10), and Likewise Open 6.0 (in Ubuntu 11.04 and the current branch).
Patches have been developed by engineers at Likewise for the versions Likewise released, but some additional work may be needed to make things compile clean on the respective Ubuntu releases as they often have some minor patches (which is what I generally take care of).
I've never handled a security issue before and I'm not even sure of which branch of code I should check out for Lucid which has already had a security issue.
Hi Scott,
Thanks for the heads up. Assuming you can provide us with patches relatively soon, the CRD of July 12, 2011 should be okay with us.
To get lucid source, you can either do apt-get source likewise-open on a lucid system (or apt-get source version= 5.4.0.42111- 2ubuntu1. 2 on a system with lucid-updates in its apt sources.list). Alternatively, you can get it through bzr via the lp:ubuntu/lucid-updates/likewise-open branch or directly from the webpage https:/ /launchpad. net/ubuntu/ +source/ likewise- open/5. 4.0.42111- 2ubuntu1. 2 .
Once you have patches/debdiffs you're comfortable with, please attach them to this bug report and security team can build them in our infrastructure in preparation for update. We'll attempt to coordinate with the ubuntu server team for testing before release.