Otkrivene su i ispravljene dvije sigurnosne ranjivosti u radu programskog paketa acpid. Lokalni ih napadači mogu iskoristiti za dobivanje većih ovlasti, pokretanje proizvoljnog programskog koda, čitanje i izmjenu podataka.
Paket:
acpid 2.0.x
Operacijski sustavi:
Mandriva Linux 2011
Kritičnost:
7
Problem:
pogreška u programskoj komponenti
Iskorištavanje:
lokalno
Posljedica:
dobivanje većih privilegija, izmjena podataka, proizvoljno izvršavanje programskog koda
Rješenje:
programska zakrpa proizvođača
CVE:
CVE-2011-2777, CVE-2011-4578
Izvorni ID preporuke:
MDVSA-2012:137
Izvor:
Mandriva
Problem:
Spomenute su ranjivosti uzrokovane pogreškama u ACPI skriptama.
Posljedica:
Napadačima omogućuju pokretanje proizvoljnog programskog koda, stjecanje većih ovlasti te čitanje i izmjenu podataka.
Rješenje:
Korisnicima se savjetuje instalacija sigurnosnih zakrpa.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2012:137
http://www.mandriva.com/security/
_______________________________________________________________________
Package : acpid
Date : August 17, 2012
Affected: 2011.
_______________________________________________________________________
Problem Description:
Multiple vulnerabilities has been discovered and corrected in acpid:
Oliver-Tobias Ripka discovered that an ACPI script incorrectly handled
power button events. A local attacker could use this to execute
arbitrary code, and possibly escalate privileges (CVE-2011-2777).
Helmut Grohne and Michael Biebl discovered that ACPI scripts were
executed with a permissive file mode creation mask (umask). A local
attacker could read files and modify directories created by ACPI
scripts that did not set a strict umask (CVE-2011-4578).
The updated packages have been patched to correct these issues.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2777
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4578
_______________________________________________________________________
Updated Packages:
Mandriva Linux 2011:
23d5343c86fea6a72a789a3f29e4f733 2011/i586/acpid-2.0.10-1.1-mdv2011.0.i586.rpm
3a78db800ec8c3063d834f618a39357e 2011/SRPMS/acpid-2.0.10-1.1.src.rpm
Mandriva Linux 2011/X86_64:
a8e6080d229eae2c7ce068a240f902c6
2011/x86_64/acpid-2.0.10-1.1-mdv2011.0.x86_64.rpm
3a78db800ec8c3063d834f618a39357e 2011/SRPMS/acpid-2.0.10-1.1.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iD8DBQFQLeZtmqjQ0CJFipgRApmvAKDTTvdAEhfopnbTnX3l3y7CTLYMJgCfSlO3
EF6GG94rVVeJsbDufkXIgUQ=
=fsBX
-----END PGP SIGNATURE-----
Posljednje sigurnosne preporuke