[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[linux-security] lv local root exploit



Topic
=====
local root exploit in lv

Problem Description
===================
Lv is a powerful file viewer similar to less.

A bug has been found in versions of lv that read a .lv file in the current
directory.  Local attackers can use this to place an .lv file in any
directory to which they have write access.  Any user who subsequently runs
lv in that directory and uses the v (edit) command can be forced to execute
an arbitrary program.

Affected Versions
=================
lv versions 4.49.4 and earlier

Solution
========
upgrade to version 4.49.5 (or patched version for your distribution)

RedHat 7.x
----------
rpm -Fvh lv-4.49.4-3.7x.1.i386.rpm

RedHat 8.0
----------
rpm -Fvh lv-4.49.4-7.80.1.i386.rpm

RedHat 9
--------
rpm -Fvh lv-4.49.4-9.9.1.i386.rpm

Debian 2.2 (potato)
-------------------
upgrade to lv_4.49.3-4potato2_i386.deb

Debian 3.0 (woody)
------------------
upgrade to lv_4.49.4-7woody2_i386.deb