[linux-security] modutils local root exploit

Synopsis
========
the modprobe program of the modutils package allows a local root exploit

Problem Description
===================
 All 2.3.x versions of modutils (since March 12 1999) contain a 
 vulnerability that can lead to a local root compromise.  The modprobe
 program uses popen() to execute the "echo" program argumented with
 user input.  Because popen() relies on /bin/sh to parse the command
 string and execute "echo", un-escaped shell meta-characters can be
 included in user input to execute commands.  Although modprobe is not
 installed setuid root, this vulnerability can be exploited to gain root
 access provided the target system is using kmod.  Kmod is a kernel
 facility that automatically executes the program modprobe when a module
 is requested via request_module().  One program that can take advantage
 of this vulnerability is ping.  When a  device is specified at the 
 command line that doesn't exist, request_module is called with the 
 user-supplied arguments passed to the kernel.  The kernel then takes 
 the arguments and executes modprobe with them.  Arbitrary commands 
 included in the argument for module name (device name to ping) are then
 executed when popen() is called as root.

Affected Systems
================
All Linux distributions that use modutils versions 2.3.x
e.g., RedHat 6.2 and 7.0, Mandrake 7.x.

Type "rpm -q modutils" to find the version of the modutils package on your
system.

Not Affected
============
modutils version < 2.3.0, e.g., modutils-2.1.121 is not vulnerable and
hence RedHat 6.1 is not vulnerable.

Solution
========
upgrade to modutils-2.3.20

RedHat 6.2
rpm -Fvh modutils-2.3.20-0.6.2.i386.rpm

RedHat 7.0
rpm -Fvh modutils-2.3.20-1.i386.rpm

Mandrake 7.1
rpm -Fvh modutils-2.3.20-1.2mdk.i586.rpm

Mandrake 7.2
rpm -Fvh modutils-2.3.20-1.1mdk.i586.rpm