libgssglue: Privilege escalation — GLSA 201209-22

A vulnerability in libgssglue may allow a local attacker to gain escalated privileges.

Affected packages

net-libs/libgssglue on all architectures
Affected versions < 0.4
Unaffected versions >= 0.4

Background

libgssglue exports a GSSAPI interface which calls other random GSSAPI libraries.

Description

libgssglue does not securely use getenv() when loading a library for a setuid application.

Impact

A local attacker could gain escalated privileges.

Workaround

There is no known workaround at this time.

Resolution

All libgssglue users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=net-libs/libgssglue-0.4"
 

References

Release date
September 28, 2012

Latest revision
September 28, 2012: 1

Severity
high

Exploitable
local

Bugzilla entries