[SECURITY] Fedora 19 Update: chkrootkit-0.49-9.fc19

updates at fedoraproject.org updates at fedoraproject.org
Fri Jun 13 05:30:39 UTC 2014

Fedora Update Notification
2014-06-05 03:33:25

Name        : chkrootkit
Product     : Fedora 19
Version     : 0.49
Release     : 9.fc19
URL         : http://www.chkrootkit.org
Summary     : Tool to locally check for signs of a rootkit
Description :
chkrootkit is a tool to locally check for signs of a rootkit.
It contains:

 * chkrootkit: shell script that checks system binaries for
   rootkit modification.
 * ifpromisc: checks if the network interface is in promiscuous mode.
 * chklastlog: checks for lastlog deletions.
 * chkwtmp: checks for wtmp deletions.
 * chkproc: checks for signs of LKM trojans.
 * chkdirs: checks for signs of LKM trojans.
 * strings: quick and dirty strings replacement.
 * chkutmp: checks for utmp deletions.

Update Information:

A quoting issue was found in chkrootkit which would lead to a file in /tmp/ being executed, if /tmp/ was mounted without the noexec option. chkrootkit is typically run as the root user. A local attacker could use this flaw to escalate their privileges.

The problematic part was:

file_port=$file_port $i

Which is changed to file_port="$file_port $i" to fix the issue. From the Debian diff:

--- chkrootkit-0.49.orig/debian/patches/CVE-2014-0476.patch
+++ chkrootkit-0.49/debian/patches/CVE-2014-0476.patch
@@ -0,0 +1,13 @@
+Index: chkrootkit/chkrootkit
+--- chkrootkit.orig/chkrootkit
++++ chkrootkit/chkrootkit
+@@ -117,7 +117,7 @@ slapper (){
+    fi
+    for i in ${SLAPPER_FILES}; do
+       if [ -f ${i} ]; then
+-       file_port=$file_port $i
++       file_port="$file_port $i"
+          STATUS=1
+       fi
+    done


Red Hat would like to thank Thomas Stangner for reporting this issue.

* Wed Jun  4 2014 Jon Ciesla <limburgher at gmail.com> - 0.49-9
- Patch for CVE-2014-0476, BZ 1104456, 11044567.
* Sat Aug  3 2013 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 0.49-8
- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild

  [ 1 ] Bug #1104456 - CVE-2014-0476 chkrootkit: local privilege escalation [fedora-all]
  [ 2 ] Bug #1104457 - CVE-2014-0476 chkrootkit: local privilege escalation [epel-all]

This update can be installed with the "yum" update program.  Use
su -c 'yum update chkrootkit' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key.  More details on the
GPG keys used by the Fedora Project can be found at

More information about the package-announce mailing list