A security issue in chkrootkit has been announced today (June 4): http://openwall.com/lists/oss-security/2014/06/04/9 Details on reproducing the issue are included in that post. Patched packages uploaded for Mageia 3, Mageia 4, and Cauldron. Advisory: ======================== Updated chkrootkit package fixes security vulnerability: The chkrootkit script contains a flaw that allows a local attacker to create an executable in /tmp that will be run by the user running chkrootkit (usually root), allowing the attacker to escalate privileges (CVE-2014-0476). The Mageia 3 update also eliminates the false positive identification of a rootkit in /sbin/init (mga#6699). References: http://openwall.com/lists/oss-security/2014/06/04/9 https://bugs.mageia.org/show_bug.cgi?id=6699 https://bugs.mageia.org/show_bug.cgi?id=13481 ======================== Updated packages in core/updates_testing: ======================== chkrootkit-0.49-6.1.mga3 chkrootkit-0.49-8.1.mga4 from SRPMS: chkrootkit-0.49-6.1.mga3.src.rpm chkrootkit-0.49-8.1.mga4.src.rpm Reproducible: Steps to Reproduce:
Blocks: (none) => 6699Whiteboard: (none) => MGA3TOO
Testing complete mga3 32 & 64 From openwall.. -------------- Steps to reproduce: - Put an executable file named 'update' with non-root owner in /tmp (not mounted noexec, obviously) - Run chkrootkit (as uid 0) Result: The file /tmp/update will be executed as root, thus effectively rooting your box, if malicious content is placed inside the file. -------------- Created a file /tmp/update as below and made it executable $ cat /tmp/update #!/bin/bash touch /tmp/vulnerable $ chmod a+x /tmp/update Before ------ $ ll /tmp/update -rwxr-xr-x 1 claire claire 34 Jun 4 16:16 /tmp/update* $ ll /tmp/vulnerable ls: cannot access /tmp/vulnerable: No such file or directory # chkrootkit (for mga3 noted the false positive on Suckit) ... Searching for Suckit rootkit... Warning: /sbin/init INFECTED ... $ ll /tmp/update -rwxr-xr-x 1 claire claire 34 Jun 4 16:16 /tmp/update* $ ll /tmp/vulnerable -rw-r--r-- 1 root root 0 Jun 4 16:20 /tmp/vulnerable Can see it has run the executable with the privileges of the user running chkrootkit (root) and created /tmp/vulnerable owned by root. After ----- Installed the update and removed /tmp/vulnerable # rm /tmp/vulnerable $ ll /tmp/update -rwxr-xr-x 1 claire claire 34 Jun 4 16:16 /tmp/update* $ ll /tmp/vulnerable ls: cannot access /tmp/vulnerable: No such file or directory # chkrootkit (for mga3 checked it fixed the false positive on Suckit. ... Searching for Suckit rootkit... nothing found ... $ ll /tmp/update -rwxr-xr-x 1 claire claire 34 Jun 4 16:16 /tmp/update* $ ll /tmp/vulnerable ls: cannot access /tmp/vulnerable: No such file or directory Clean up.. $ rm /tmp/update
Whiteboard: MGA3TOO => MGA3TOO has_procedure mga3-32-ok mga3-64-ok
URL: (none) => http://lwn.net/Vulnerabilities/601240/
Testing complete mga4 32 & 64
Whiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok
Validating. Advisory uploaded. Could sysadmin please push to 3 & 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok => MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-okCC: (none) => sysadmin-bugs
http://advisories.mageia.org/MGASA-2014-0249.html
Status: NEW => RESOLVEDCC: (none) => pterjanResolution: (none) => FIXED