This file contains ambiguous Unicode characters that may be confused with others in your current locale. If your use case is intentional and legitimate, you can safely ignore this warning. Use the Escape button to highlight these characters.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsaid="201706-01">
<title>MUNGE: Privilege escalation </title>
<synopsis>Gentoo's MUNGE ebuilds are vulnerable to privilege escalation due
to improper permissions.
</synopsis>
<producttype="ebuild">munge</product>
<announced>2017-06-06</announced>
<revisedcount="1">2017-06-06</revised>
<bug>602596</bug>
<access>local</access>
<affected>
<packagename="sys-auth/munge"auto="yes"arch="*">
<unaffectedrange="ge">0.5.10-r2</unaffected>
<vulnerablerange="lt">0.5.10-r2</vulnerable>
</package>
</affected>
<background>
<p>An authentication service for creating and validating credentials.</p>
</background>
<description>
<p>It was discovered that Gentoo’s default MUNGE installation suffered
from a privilege escalation vulnerability (munge user to root) due to
improper permissions and a runscript which called chown() on a user
controlled file.
</p>
</description>
<impacttype="high">
<p>A local attacker, who either is already MUNGE’s system user or belongs
to MUNGE’s group, could potentially escalate privileges.
</p>
</impact>
<workaround>
<p>There is no known workaround at this time.</p>
</workaround>
<resolution>
<p>All MUNGE users should upgrade to the latest version:</p>
