[Secure-testing-team] Bug#674715: CVE-2012-2653: initgroups() adds gid 0 to the group list
Yves-Alexis Perez
corsac at debian.org
Sat May 26 21:57:45 UTC 2012
Package: arpwatch
Version: 2.1a15-1.1
Severity: critical
Tags: security
Justification: root security hole
Hi,
as reported on oss-sec
(http://www.openwall.com/lists/oss-security/2012/05/24/12) the patch
added to arpwatch to drop privileges in fact adds the gid 0 (root) group
to the group list. This has been allocated CVE-2012-2653.
Can you prepare updates fixing this (using pw->pw_gid in the call) or
should the security team do it?
Regards,
--
Yves-Alexis
-- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-2-grsec-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
More information about the Secure-testing-team
mailing list