From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 919FC158089 for ; Sun, 8 Oct 2023 07:26:52 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 488572BC0BD; Sun, 8 Oct 2023 07:26:24 +0000 (UTC) Received: from smtp.gentoo.org (woodpecker.gentoo.org [140.211.166.183]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 4D8482BC02F for ; Sun, 8 Oct 2023 07:26:05 +0000 (UTC) Received: from glsamakerdev.dev.gentoo.org (unknown [140.211.166.165]) by smtp.gentoo.org (Postfix) with ESMTP id 6B13B335C34 for ; Sun, 8 Oct 2023 07:26:04 +0000 (UTC) Received: from [172.18.0.3] (unknown [172.18.0.3]) by glsamakerdev.dev.gentoo.org (Postfix) with ESMTP id 0A6F68C644 for ; Sun, 8 Oct 2023 07:26:04 +0000 (UTC) Subject: [gentoo-announce] [ GLSA 202310-08 ] man-db: privilege escalation Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-announce@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg="pgp-sha512"; boundary="===============5864283118766911569==" From: glsamaker@gentoo.org To: gentoo-announce@lists.gentoo.org Reply-To: security@gentoo.org Date: Sun, 08 Oct 2023 07:26:03 -0000 Message-ID: <169674996402.7.5774816522761093059@eaa400207d9c> X-Archives-Salt: 61c68218-3ec6-4410-bd28-799e6faff2bb X-Archives-Hash: 063dacdb5f4c826d8b9b9e098550b6c7 --===============5864283118766911569== Content-Type: text/plain; charset="utf-8" - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202310-08 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: man-db: privilege escalation Date: October 08, 2023 Bugs: #662438 ID: 202310-08 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== A root privilege escalation through setuid executable and cron job has been discovered in man-db. Background ========== man-db is a man replacement that utilizes BerkeleyDB instead of flat files. Affected packages ================= Package Vulnerable Unaffected --------------- ------------ ------------ sys-apps/man-db < 2.8.5 >= 2.8.5 Description =========== A root privilege escalation through setuid executable and cron job has been discovered in man-db. Please review the CVE identifier referenced below for details. Impact ====== A local user with access to the man user or group can elevate privileges to root. Workaround ========== There is no known workaround at this time. Resolution ========== All man-db users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=sys-apps/man-db-2.8.5" References ========== [ 1 ] CVE-2018-25078 https://nvd.nist.gov/vuln/detail/CVE-2018-25078 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202310-08 Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2023 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 --===============5864283118766911569== Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEpqTA6ABLMxh/aChGFMQkOaVy+9kFAmUiWYsACgkQFMQkOaVy +9l6NRAA1NqVk0fZzTfR4/72Pa63HgxrUjp7aNxUMTAOvtt5ni0nt8Bauv2wwkRh +pI1sB5CU/SfupC4WBZBANL/zQeR+/4GRpiC2UVdChOTCYu/G3ZZ7W+Wvi4EGRef xgz4clJLEC9P1f8ZS0WtK8fyyWKG+2+KUqagCEquPLtOokGQ8b7Ensp/RCeSGjKh P1RF36uQnR1uuuj417wtPAeg05CJJG7gIVDLt/fXsiIl1o0VouNuq9BNFtIQhpYy L3gWFNNMQXoysRl5b6lna7F3TgU4I68FtF9cwlvaNCPf00gsHkTjTD0Oo+yBrD2t w4eARZ4ledmznoRapGTw29vGK1ztr17RPQZJFEZCdlqwO22JnE1depdV9Q+a4JzR CV4B+/3ctJwAlewVMwmZlYd10wgJ5WrPeHDH4JqZHM6STD9qFy1CU2iTVUUbmzgs ayibh3aBF9O/E+ie/w4iyv43czHq1ZrT5ZqpvedqhX20R1Zksfy14bj8S3iUxLAS 24o7AwD3PifhbpMAKVnngW+UBGNJsNryhqSdOLal/zpg9G6jOopjdRSBpS11COdV gVQU+ekrpf0mFu+F2nBhsf4idgcpCYlOteaLteAAJoehx8g4y7wFhzygxZN1c4uo +3hBkfseovHguFZttb8BkEEGKiVcw+3mK7FKhkaXwjsBzq2h0ZM= =500i -----END PGP SIGNATURE----- --===============5864283118766911569==--