Hide Forgot
A quoting issue was found in chkrootkit which would lead to a file in /tmp/ being executed, if /tmp/ was mounted without the noexec option. chkrootkit is typically run as the root user. A local attacker could use this flaw to escalate their privileges. The problematic part was: file_port=$file_port $i Which is changed to file_port="$file_port $i" to fix the issue. From the Debian diff: --- chkrootkit-0.49.orig/debian/patches/CVE-2014-0476.patch +++ chkrootkit-0.49/debian/patches/CVE-2014-0476.patch @@ -0,0 +1,13 @@ +Index: chkrootkit/chkrootkit +=================================================================== +--- chkrootkit.orig/chkrootkit ++++ chkrootkit/chkrootkit +@@ -117,7 +117,7 @@ slapper (){ + fi + for i in ${SLAPPER_FILES}; do + if [ -f ${i} ]; then +- file_port=$file_port $i ++ file_port="$file_port $i" + STATUS=1 + fi + done Acknowledgements: Red Hat would like to thank Thomas Stangner for reporting this issue.
Created chkrootkit tracking bugs for this issue: Affects: fedora-all [bug 1104456] Affects: epel-all [bug 1104457]