[gentoo-security] GLSA: tcptraceroute (200306-14)

[pilla]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - - ---------------------------------------------------------------------
GENTOO LINUX SECURITY ANNOUNCEMENT 200306-14
- - - ---------------------------------------------------------------------

PACKAGE : tcptraceroute
SUMMARY : problems dropping root privileges
DATE : 2003-06-28 20:21 UTC
EXPLOIT : local
VERSIONS AFFECTED : <tcptraceroute-1.4-r1
FIXED VERSION : >=tcptraceroute-1.4
CVE : CAN-2003-0489

- - - ---------------------------------------------------------------------

quote from cve:

"tcptraceroute 1.4 and earlier does not fully drop privileges after
obtaining a file descriptor for capturing packets, which may allow
local users to gain access to the descriptor via a separate
vulnerability in tcptraceroute."

SOLUTION

It is recommended that all Gentoo Linux users who are running
net-analyzer/tcptraceroute upgrade to tcptraceroute-1.4-r1 as follows

emerge sync
emerge tcptraceroute
emerge clean

- - - ---------------------------------------------------------------------
aliz@gentoo.org - GnuPG key is available at http://cvs.gentoo.org/~aliz
- - - ---------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQE+/fi1fT7nyhUpoZMRAkHwAJ9Jj9W1Rpt2UAFCC+jRXDrx+2ppLQCgixT0
rEjfzVQdgwl08qQs62wAcj4=
=rUPd
-----END PGP SIGNATURE-----
_________________
"I'm just very selective about the reality I choose to accept." -- Calvin