ktsuss fails to change the effective UID back to the real UID
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
ktsuss (Debian) |
Fix Released
|
Unknown
|
|||
ktsuss (Ubuntu) |
Invalid
|
Undecided
|
Unassigned | ||
Lucid |
Won't Fix
|
Undecided
|
Unassigned | ||
Maverick |
Won't Fix
|
Undecided
|
Unassigned | ||
Natty |
Won't Fix
|
Undecided
|
Unassigned |
Bug Description
CVE-2011-2921, http://
When the target UID is the same as the real UID ktsuss skips
authentication. Under these circumstances, ktsuss fails to change the
effective UID back to the real UID.
Maverick is vulnerable.
The discussion can be viewed here, http://
The discussion also mentioned another vulnerability, though its probably best to file another bug for the same.
The discussion at debian can be viewed here, but no patches are proposed, only discusses dropping the package in the next release.
ktsuss is not maintained, however, ktsuss-2 can be found here, http://
visibility: | private → public |
Changed in ktsuss (Ubuntu Lucid): | |
status: | New → Confirmed |
Changed in ktsuss (Ubuntu Maverick): | |
status: | New → Confirmed |
Changed in ktsuss (Ubuntu Natty): | |
status: | New → Confirmed |
Changed in ktsuss (Debian): | |
status: | Unknown → Fix Released |
Changed in ktsuss (Ubuntu): | |
status: | New → Invalid |
Please find attached, a debdiff which takes care of this issue by doing a seteuid(getuid()). Solves the issue. Tested on Maverick, works correctly after applying this patch.
Before applying you have:-
$:~/cve- stuff/2011- 2921/t3$ ktsuss -u `whoami` whoami
root
After, you have:-
$:~/cve- stuff/2011- 2921/t3$ ktsuss -u `whoami` whoami
equinox