Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

suse-cvrf логотип

SUSE-SU-2020:1163-1

Опубликовано: 04 мая 2020
Источник: suse-cvrf

Описание

Security update for permissions

This update for permissions fixes the following issues:

Security issue fixed:

  • CVE-2020-8013: Fixed a local privilege escalation with mrsh and wodim (bsc#1163922).

Non-security issues fixed:

  • Fixed regression where chkstat breaks without /proc available (bsc#1160764, bsc#1160594)
  • Fixed capability handling when doing multiple permission changes at once (bsc#1161779)
  • Fixed handling of relative directory symlinks in chkstat

Список пакетов

Container suse/sle15:15.0
permissions-20180125-3.21.1
Image SLES15-Azure-BYOS
permissions-20180125-3.21.1
Image SLES15-EC2-CHOST-HVM-BYOS
permissions-20180125-3.21.1
Image SLES15-EC2-HVM-BYOS
permissions-20180125-3.21.1
Image SLES15-GCE-BYOS
permissions-20180125-3.21.1
Image SLES15-OCI-BYOS
permissions-20180125-3.21.1
Image SLES15-SAP-Azure
permissions-20180125-3.21.1
Image SLES15-SAP-Azure-BYOS
permissions-20180125-3.21.1
Image SLES15-SAP-Azure-LI-BYOS-Production
permissions-20180125-3.21.1
Image SLES15-SAP-Azure-VLI-BYOS-Production
permissions-20180125-3.21.1
Image SLES15-SAP-EC2-HVM
permissions-20180125-3.21.1
Image SLES15-SAP-EC2-HVM-BYOS
permissions-20180125-3.21.1
Image SLES15-SAP-GCE
permissions-20180125-3.21.1
Image SLES15-SAP-GCE-BYOS
permissions-20180125-3.21.1
Image SLES15-SAP-OCI-BYOS
permissions-20180125-3.21.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS
permissions-20180125-3.21.1
SUSE Linux Enterprise High Performance Computing 15-LTSS
permissions-20180125-3.21.1
SUSE Linux Enterprise Server 15-LTSS
permissions-20180125-3.21.1
SUSE Linux Enterprise Server for SAP Applications 15
permissions-20180125-3.21.1

Ссылки

Описание

The /usr/sbin/pinger binary packaged with squid in SUSE Linux Enterprise Server 15 before and including version 4.8-5.8.1 and in SUSE Linux Enterprise Server 12 before and including 3.5.21-26.17.1 had squid:root, 0750 permissions. This allowed an attacker that compromissed the squid user to gain persistence by changing the binary

Затронутые продукты
Container suse/sle15:15.0:permissions-20180125-3.21.1
Image SLES15-Azure-BYOS:permissions-20180125-3.21.1
Image SLES15-EC2-CHOST-HVM-BYOS:permissions-20180125-3.21.1
Image SLES15-EC2-HVM-BYOS:permissions-20180125-3.21.1
Ссылки

Описание

The chkstat tool in the permissions package followed symlinks before commit a9e1d26cd49ef9ee0c2060c859321128a6dd4230 (please also check the additional hardenings after this fix). This allowed local attackers with control over a path that is traversed by chkstat to escalate privileges.

Затронутые продукты
Container suse/sle15:15.0:permissions-20180125-3.21.1
Image SLES15-Azure-BYOS:permissions-20180125-3.21.1
Image SLES15-EC2-CHOST-HVM-BYOS:permissions-20180125-3.21.1
Image SLES15-EC2-HVM-BYOS:permissions-20180125-3.21.1
Ссылки

Описание

A UNIX Symbolic Link (Symlink) Following vulnerability in chkstat of SUSE Linux Enterprise Server 12, SUSE Linux Enterprise Server 15, SUSE Linux Enterprise Server 11 set permissions intended for specific binaries on other binaries because it erroneously followed symlinks. The symlinks can't be controlled by attackers on default systems, so exploitation is difficult. This issue affects: SUSE Linux Enterprise Server 12 permissions versions prior to 2015.09.28.1626-17.27.1. SUSE Linux Enterprise Server 15 permissions versions prior to 20181116-9.23.1. SUSE Linux Enterprise Server 11 permissions versions prior to 2013.1.7-0.6.12.1.

Затронутые продукты
Container suse/sle15:15.0:permissions-20180125-3.21.1
Image SLES15-Azure-BYOS:permissions-20180125-3.21.1
Image SLES15-EC2-CHOST-HVM-BYOS:permissions-20180125-3.21.1
Image SLES15-EC2-HVM-BYOS:permissions-20180125-3.21.1
Ссылки