Joined: 12 May 2004
|Posted: Mon Jul 10, 2017 10:26 pm Post subject: [ glsa 201706-01 ] munge
|Gentoo Linux Security Advisory
Title: MUNGE: Privilege escalation (GLSA 201706-01)
Gentoo's MUNGE ebuilds are vulnerable to privilege escalation due
to improper permissions.
An authentication service for creating and validating credentials.
Vulnerable: < 0.5.10-r2
Unaffected: >= 0.5.10-r2
Architectures: All supported architectures
It was discovered that Gentoo’s default MUNGE installation suffered
from a privilege escalation vulnerability (munge user to root) due to
improper permissions and a runscript which called chown() on a user
A local attacker, who either is already MUNGE’s system user or belongs
to MUNGE’s group, could potentially escalate privileges.
There is no known workaround at this time.
All MUNGE users should upgrade to the latest version:
|# emerge --sync
# emerge --ask --oneshot --verbose ">=sys-auth/munge-0.5.10-r2"