GLSA 200411-26: GIMPS, SETI@home, ChessBrain: Insecure installation

http://security.gentoo.org/

Severity:	high
Title:	GIMPS, SETI@home, ChessBrain: Insecure installation
Date:	11/17/2004
Bugs:	#69868
ID:	200411-26

Synopsis

Improper file ownership allows user-owned files to be run with root privileges by init scripts.

Background

GIMPS is a client for the distributed Great Internet Mersenne Prime Search. SETI@home is the client for the Search for Extraterrestrial Intelligence (SETI) project. ChessBrain is the client for the distributed chess supercomputer.

Affected packages

Package	Vulnerable	Unaffected	Architecture(s)
sci-misc/gimps	<= 23.9	>= 23.9-r1	All supported architectures
sci-misc/setiathome	<= 3.08-r3	>= 3.08-r4	All supported architectures
sci-misc/chessbrain	<= 20407	>= 20407-r1	All supported architectures

Description

GIMPS, SETI@home and ChessBrain ebuilds install user-owned binaries and init scripts which are executed with root privileges.

Impact

This could lead to a local privilege escalation or root compromise.

Workaround

There is no known workaround at this time.

Resolution

All GIMPS users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=sci-misc/gimps-23.9-r1"

All SETI@home users should upgrade to the latest version:


    # emerge --sync
    # emerge --ask --oneshot --verbose ">=sci-misc/setiathome-3.03-r2"

All ChessBrain users should upgrade to the latest version:


    # emerge --sync
    # emerge --ask --oneshot --verbose ">=sci-misc/chessbrain-20407-r1"

References

Availability

This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200411-26.xml

Concerns?

Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org.