[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] CVE request: enlightenment sysactions
From:       Martin Carpenter <mcarpenter () free ! fr>
Date:       2014-01-30 22:30:51
Message-ID: 1391121051.4051.34.camel () juliet ! mcarpenter ! org
[Download RAW message or body]

Hi,

Red Hat Security suggested I request a CVE here since this potentially
effects multiple distros/maintainers. The Enlightenment window manager
(enlightenment.org) was found to ship with (a) a setuid root helper that
did not effectively sanitize its environment and (b) a weak default
configuration. Users in select groups could exploit this to execute
arbitrary programs as root.

This was fixed upstream in 3 commits each for both e17 and e18 branches,
with two new releases shipped shortly after:
  0.17.6, Dec  4th 2013: [1], [2], [3]
  0.18.0, Dec 21st 2013: [4], [5], [6]

Fedora has a bug filed against it at [7] referencing the e18 commits.

Thanks,

Martin.

[1]
https://git.enlightenment.org/core/enlightenment.git/commit/?id=ea605237bb64ee09341121461b3d2c0f5dbe832d 
[2]
https://git.enlightenment.org/core/enlightenment.git/commit/?id=126afd0fda493deec8398088e6e928b4d2e5f463 
[3]
https://git.enlightenment.org/core/enlightenment.git/commit/?id=8cabf2708520539cf25ca0a876f9c044f6d56a77 
[4]
https://git.enlightenment.org/core/enlightenment.git/commit/?id=9456e88504cb5daddbac3f49373a3a9a8577e27a
[5]
https://git.enlightenment.org/core/enlightenment.git/commit/?id=666df815cd86a50343859bce36c5cf968c5f38b0
[6]
https://git.enlightenment.org/core/enlightenment.git/commit/?id=bb4a21e98656fe2c7d98ba2163e6defe9a630e2b
[7] https://bugzilla.redhat.com/show_bug.cgi?id=1059410



[prev in list] [next in list] [prev in thread] [next in thread]