Red Hat Bugzilla – Bug 439687
CVE-2008-1614 mod_suphp: local privilege escalation through symlinks
Last modified: 2008-04-02 11:09:59 EDT
Upstream found two local privilege escalation problems which include the use of
symlink. in mod_suphp 0.6.2. Fixes for these bugs are included in 0.6.3.
Upstream recommends an immediate update for all users.
Short upstream report: http://www.suphp.org/Home.html
Detailed report: http://article.gmane.org/gmane.comp.php.suphp.general/348
Unfortunately, I don't know any public version control system for mod_suphp.
This means it is quite hard to isolate the code fixing the described problems.
For Fedora we can just update to 0.6.3 but EPEL should get a backport.
Therefore I examined the releases 0.6.2 and 0.6.3 for changes ('diff --recursive
-u --exclude="aclocal*" --exclude="config*" --exclude="Makefile*"
--exclude=ChangeLog --exclude=INSTALL suphp-0.6.2 suphp-0.6.3 > diff.patch').
The resulting diff is ~11 kB big but it seems to me that the only source code
changes since 0.6.2 were the mentioned fixes for the upstream problems. (I won't
attach the diff here as it is easy to recreate.)
Therefore I don't see a point backporting the fixes (and risk not fixing the
However, there's no interface available AFAIK like trac or viewsvn.
I'd really like to see a fast fix for this problem, especially for Fedora 7 + 8.
You're right about 0.6.2 vs. 0.6.3 : the only change is this fix, and some
I'll attach the diff anyway.
Created attachment 299694 [details]
Fixes symlink checks
mod_suphp-0.6.3-1.fc7 has been submitted as an update for Fedora 7
mod_suphp-0.6.3-1.fc8 has been submitted as an update for Fedora 8
mod_suphp-0.6.3-1.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.
mod_suphp-0.6.3-1.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.