Bug 3938 - libcap is missing security update for CVE-2011-4099
Summary: libcap is missing security update for CVE-2011-4099
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 1
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact:
URL:
Whiteboard:
Keywords: Security, validated_update
: 3245 (view as bug list)
Depends on:
Blocks:
 
Reported: 2011-12-30 03:19 CET by David Walser
Modified: 2014-05-08 18:04 CEST (History)
3 users (show)

See Also:
Source RPM: libcap-2.19-7.mga1.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2011-12-30 03:19:43 CET 
Mandriva issued this update on December 12:
http://lists.mandriva.com/security-announce/2011-12/msg00007.php
Anssi Hannula 2011-12-30 04:33:32 CET

Keywords: (none) => Security
Status: NEW => ASSIGNED
Assignee: bugsquad => anssi.hannula

Comment 1 Anssi Hannula 2011-12-30 04:45:17 CET 
Suggested advisory:
========================
Updated libcap package fixes a security vulnerability:

capsh program didn't chdir() when using --chroot, allowing the program being run to access outside the chroot.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4099
http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2011:185
https://rhn.redhat.com/errata/RHSA-2011-1694.html
========================

Updated package in core/updates_testing:
=====================
libcap-utils-2.19-7.1.mga1
from libcap-2.19-7.1.mga1 src.rpm.
=====================

Test procedure:
=============
1. Install libcap-utils.
2. Run as root:
  capsh --chroot=/ -- -c /bin/pwd
Result:
- good: /
- bad: current working directory
=============

CC: (none) => anssi.hannula
Assignee: anssi.hannula => qa-bugs

Comment 2 David Walser 2011-12-31 17:35:36 CET 
Tested successfully on i586.
Comment 3 Manuel Hiebel 2011-12-31 18:48:06 CET 
Testing complete on x86_64

Advisory
-------------
Updated libcap package fixes a security vulnerability:

capsh program didn't chdir() when using --chroot, allowing the program being
run to access outside the chroot.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4099
http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2011:185
https://rhn.redhat.com/errata/RHSA-2011-1694.html
-------------

SRPM: libcap-2.19-7.1.mga1.src.rpm

Could sysadmin please push from core/updates_testing to core/updates

Thankyou!

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 4 Thomas Backlund 2011-12-31 23:05:25 CET 
Update pushed.

Status: ASSIGNED => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED

Comment 5 D Morgan 2012-01-02 01:53:04 CET 
*** Bug 3245 has been marked as a duplicate of this bug. ***

CC: (none) => boklm

Nicolas Vigier 2014-05-08 18:04:31 CEST

CC: boklm => (none)
Note You need to log in before you can comment on or make changes to this bug.