Bug 6424 - libgssglue missing fix for security issue CVE-2011-2709
: libgssglue missing fix for security issue CVE-2011-2709
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: i586 Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
:
: http://lwn.net/Vulnerabilities/449435/
: MGA1TOO, mga1-32-OK, mga2-32-OK, mga1...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2012-06-11 21:31 CEST by David Walser
Modified: 2012-07-10 15:07 CEST (History)
5 users (show)

See Also:
Source RPM: libgssglue-0.3-1.mga2.src.rpm
CVE:


Attachments

Description David Walser 2012-06-11 21:31:37 CEST
SuSE issued an advisory for this on June 24 last year:
http://lwn.net/Alerts/449415/

The issue was fixed upstream in version 0.4.  Fedora has provided an update to this version for Fedora 16 to fix this issue (May 18):
http://lists.fedoraproject.org/pipermail/package-announce/2012-June/082072.html

Mageia 1 may be affected as well.
Comment 1 Guillaume Rousse 2012-06-12 21:45:33 CEST
I just submitted libgssglue-0.4-1.mga2 and libgssglue-0.1-8.1.mga1 in updates_testing.

Suggested advisory:
This update fixes insecure getenv() usage in libgssglue, which could be  used under some circumstances by local attackers do gain root privileges.
Comment 3 Dave Hodgins 2012-06-14 05:37:32 CEST
Testing complete on Mageia 1 i586 for the srpm
libgssglue-0.1-8.1.mga1.src.rpm

For testing, I used a Mageia 1 client under virtual box accessing
an nfs share on the host Mageia 1 system.

I'll test Mageia 2 i586 shortly.
Comment 4 Dave Hodgins 2012-06-14 06:37:55 CEST
Testing complete on Mageia 2 i586 for the srpm
libgssglue-0.4-1.mga2.src.rpm

Testing using an nfs share on the Mageia 2 host, accessed by the Mageia 1
vb guest, and and nfs share on the vb guest accessed by the host.
Comment 5 Guillaume Rousse 2012-06-14 09:13:18 CEST
You may forget testing here, as libgssglue is only used with Kerberos support, and this is really painful to setup.
Comment 6 Dave Hodgins 2012-06-15 04:02:33 CEST
Should the packages be removed from updates testing, and this bug closed as wont fix
then?
Comment 7 David Walser 2012-06-15 05:04:37 CEST
Whoa, I don't think that's what he meant.  I think he was just saying testing normal NFS functionality won't test the library, so unless you want to go through all the pain of setting Kerberos, just make sure the package installs.

I've never used NFS with Kerberos before, but I wasn't aware it was that difficult.  I'll probably get to find out pretty soon at work actually.
Comment 8 Dave Hodgins 2012-06-15 09:08:29 CEST
Ok. We still need 64 bit testing on both releases.
Comment 9 Samuel Verschelde 2012-07-08 16:08:07 CEST
libgssglue installs cleanly on MGA1 64 bits.

Testing only install per comment #5
Comment 10 Samuel Verschelde 2012-07-10 13:47:12 CEST
Testing install on MGA2 64 bits: went fine. Validating per comment #5.


Update validated for MGA1 and MGA2. See comment #2 for packages and advisory.

Thanks!
Comment 11 Thomas Backlund 2012-07-10 15:07:09 CEST
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0159

Note You need to log in before you can comment on or make changes to this bug.