Joined: 12 May 2004
|Posted: Fri Jan 27, 2012 3:26 pm Post subject: [ GLSA 201201-15 ] ktsuss: Privilege escalation
|Gentoo Linux Security Advisory
Title: ktsuss: Privilege escalation (GLSA 201201-15)
Date: January 27, 2012
Two vulnerabilities have been found in ktsuss, allowing local
attackers to gain escalated privileges.
ktsuss is a simple, graphical version of su written in C and GTK+.
Vulnerable: <= 1.4
Architectures: All supported architectures
Two vulnerabilities have been found in ktuss:
- Under specific circumstances, ktsuss skips authentication and fails
to change the effective UID back to the real UID (CVE-2011-2921).
- The GTK interface spawned by the ktsuss binary is run as root
A local attacker could gain escalated privileges and use the
"GTK_MODULES" environment variable to possibly execute arbitrary code
with root privileges.
There is no known workaround at this time.
Gentoo discontinued support for ktsuss. We recommend that users unmerge
|# emerge --unmerge "x11-misc/ktsuss"