[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[linux-security] for the third time: modutils



Topic
========
Another root exploit in modutils.
A new modutils-2.3.21 package has been released in order to repair bugs
introduced in modutils-2.3.20 (sigh).

Problem Description
===================
This is the third revision of the modutils package since Nov. 16. Sigh.
Hopefully they get it right this time.

The previous packages of modutils released to address a local root 
compromise contained an error in new safe guards that caused them to
not properly be enabled when run as root from the kmod process.  These
new safe guards check the arguments passed to modules.  The new 2.3.21
modutils package fixes this error and correctly checks the arguments
when running from kmod, limiting kernel module arguments to those
specified in /etc/conf.modules or /etc/modules.conf.

Affected Systems
================
All Linux distributions that use modutils versions 2.3.20
(and therefore all systems that were recently upgraded from 2.3.x to
 2.3.20 in order to fix a root exploit in the earlier versions).

Solution
========
upgrade to modutils-2.3.21

RedHat 6.2
rpm -Fvh modutils-2.3.21-0.6.2.i386.rpm

RedHat 7.0
rpm -Fvh modutils-2.3.21-1.i386.rpm

Mandrake 7.1
rpm -Fvh modutils-2.3.21-1.2mdk.i586.rpm

Mandrake 7.2
rpm -Fvh modutils-2.3.21-1.1mdk.i586.rpm

Debian
ugrade to version 2.3.11-13.1

Debian 2.2 (potato)
upgrade to modutils_2.3.11-13.1_i386.deb