You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

52 lines
1.8 KiB

This file contains ambiguous Unicode characters!

This file contains ambiguous Unicode characters that may be confused with others in your current locale. If your use case is intentional and legitimate, you can safely ignore this warning. Use the Escape button to highlight these characters.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201904-05">
<title>BURP: Root privilege escalation</title>
<synopsis>A vulnerability was discovered in Gentoo's ebuild for BURP which
could lead to root privilege escalation.
</synopsis>
<product type="ebuild">burp</product>
<announced>2019-04-02</announced>
<revised count="1">2019-04-02</revised>
<bug>641842</bug>
<access>local</access>
<affected>
<package name="app-backup/burp" auto="yes" arch="*">
<unaffected range="ge">2.1.32-r1</unaffected>
<vulnerable range="lt">2.1.32-r1</vulnerable>
</package>
</affected>
<background>
<p>A network backup and restore program.</p>
</background>
<description>
<p>It was discovered that Gentoos BURP ebuild does not properly set
permissions or place the pid file in a safe directory. Additionally, the
first set of patches did not completely address this. As such, a
revision has been made available that addresses all concerns of the
initial report.
</p>
</description>
<impact type="normal">
<p>A local attacker could escalate privileges.</p>
</impact>
<workaround>
<p>Users should ensure the proper permissions are set as discussed in the
referenced bugs.
</p>
</workaround>
<resolution>
<p>All BURP users should upgrade to the latest version:</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose "&gt;=app-backup/burp-2.1.32-r1"
</code>
</resolution>
<references>
<uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-18285">CVE-2017-18285</uri>
</references>
<metadata tag="requester" timestamp="2019-03-27T01:35:48Z">BlueKnight</metadata>
<metadata tag="submitter" timestamp="2019-04-02T04:23:38Z">b-man</metadata>
</glsa>