Michael Orlitzky

**Name of the Vulnerable Software and Affected Versions** Nagios NDOUtils versions prior to 2.1.4 **Description** The issue allows privilege escalation from the nagios user to root because certain executable files are owned by the nagios user. **Recommendations** For versions prior to 2.1.4, update to version 2.1.4 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Maxima versions prior to 5.47.0 before 51704c **Description** The plotting facilities in the affected software make use of predictable names under /tmp, allowing a local attacker to control the contents by creating files in advance with these names. This issue affects, for example, plot2d. **Recommendations** For Maxima versions prior to 5.47.0 before 51704c, consider restricting access to the /tmp directory to prevent local attackers from creating files with predictable names until a patch is available. As a temporary workaround, avoid using the plotting facilities, such as plot2d, until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Slurm versions through 22.05.3 **Description** The issue arises from the `pkg postinst` in the Gentoo ebuild for Slurm, which unnecessarily calls `chown` to assign root's ownership on files in the live root filesystem. This could be exploited by the `slurm` user to become the owner of root-owned files. **Recommendations** For Slurm versions through 22.05.3, consider restricting the `slurm` user's access to sensitive files until a patch is available. As a temporary workaround, avoid using the `pkg postinst` script in the Gentoo ebuild for Slurm, or ensure that the `chown` command is not executed unnecessarily. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** uptimed versions prior to 0.4.6-r1 **Description** The issue allows local users with access to the uptimed user account to gain root privileges. This is achieved by creating a hard link within the /var/spool/uptimed directory, taking advantage of an unsafe chown -R call. **Recommendations** For versions prior to 0.4.6-r1, update to version 0.4.6-r1 or later to resolve the issue. As a temporary workaround, consider restricting access to the /var/spool/uptimed directory to prevent the creation of hard links.

**Name of the Vulnerable Software and Affected Versions** SmokePing versions through 2.7.3-r1 **Description** The issue allows the smokeping user to cause a denial of service to arbitrary PIDs when the service is stopped by writing arbitrary PIDs to the PID file used by the initscript. **Recommendations** For SmokePing versions through 2.7.3-r1, consider restricting write access to the PID file used by the initscript to prevent the smokeping user from writing arbitrary PIDs to it. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SmokePing versions through 2.7.3-r1 **Description** The initscript in the ebuild package for SmokePing on Gentoo allows the smokeping user to gain ownership of any file, potentially leading to the smokeping user gaining root privileges. This issue involves a race condition related to `/var/lib/smokeping` and the `chown` command. **Recommendations** For versions through 2.7.3-r1, consider restricting the privileges of the smokeping user to prevent exploitation of this issue. As a temporary workaround, restrict access to the `/var/lib/smokeping` directory to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Logcheck versions through 1.3.23 **Description** The issue allows for root privilege escalation from the logcheck user due to insecure recursive chown calls in the ebuild package for Logcheck on Gentoo. **Recommendations** For versions through 1.3.23, consider restricting access to the logcheck user to minimize the risk of exploitation until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Gentoo Portage versions 2.3.84 and earlier **Description** The issue allows local users to place a Trojan horse plugin in the /usr/lib64/nagios/plugins directory by leveraging access to the nagios user account. This is possible because the directory is writable between a call to `emake` and a call to `fowners`. **Recommendations** For Gentoo Portage versions 2.3.84 and earlier, consider restricting write access to the /usr/lib64/nagios/plugins directory to prevent unauthorized placement of plugins. As a temporary workaround, monitor the directory for any suspicious activity and restrict access to the nagios user account until a fix is available.

**Name of the Vulnerable Software and Affected Versions** Nix versions prior to 2.3 **Description** The issue allows local users to gain access to an arbitrary user's account. This is because the parent directory of the user-profile directories is world writable. **Recommendations** For versions prior to 2.3, update to version 2.3 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** man-db versions prior to 2.8.5 **Description** The issue allows local users with access to the man user account to gain root privileges because /usr/bin/mandb is executed by root but not owned by root. Additionally, the owner can strip the setuid and setgid bits. **Recommendations** For versions prior to 2.8.5, update to version 2.8.5 or later to resolve the issue. As a temporary workaround, consider changing the ownership of /usr/bin/mandb to root to prevent exploitation.

Name of the Vulnerable Software and Affected Versions: burp versions prior to 2.1.32 Description: The issue allows local users to potentially kill arbitrary processes by modifying the PID file before a root script sends a SIGKILL signal, leveraging access to the burp account. Recommendations: For versions prior to 2.1.32, update to version 2.1.32 or later to resolve the issue.

Name of the Vulnerable Software and Affected Versions: burp versions prior to 2.1.32 Description: The issue is related to incorrect group ownership of the /etc/burp directory, potentially allowing local users to gain read and write access to arbitrary files by modifying the burp-server.conf file. Recommendations: For versions prior to 2.1.32, update to version 2.1.32 or later to resolve the issue.

Name of the Vulnerable Software and Affected Versions: collectd versions prior to 5.7.2-r1 Description: The issue allows local users to potentially kill arbitrary processes by modifying PID files, leveraging access to the collectd account before a root script sends a SIGKILL when the service is stopped. Recommendations: For versions prior to 5.7.2-r1, update to version 5.7.2-r1 or later to resolve the issue.

Name of the Vulnerable Software and Affected Versions: jabberd2 versions prior to 2.6.1 Description: The issue allows local users to potentially kill arbitrary processes by modifying PID files. This is possible because the ownership of /var/run/jabber is set to the jabber account, which can be leveraged to modify PID files before a root script executes a command to kill processes based on the contents of these files. Recommendations: For versions prior to 2.6.1, consider restricting access to the /var/run/jabber directory to prevent unauthorized modification of PID files until a fix is available. As a temporary workaround, ensure that only trusted users have access to the jabber account to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: Gentoo net-im/jabberd2 versions through 2.6.1 Description: The issue allows local users to potentially gain privileges by leveraging access to the jabber account and waiting for root to execute one of the installed programs, including jabberd, jabberd2-c2s, jabberd2-router, jabberd2-s2s, and jabberd2-sm. Recommendations: For Gentoo net-im/jabberd2 versions through 2.6.1, consider changing the ownership of the installed programs from the jabber account to a more secure account to prevent local users from gaining privileges.

Name of the Vulnerable Software and Affected Versions: systemd versions prior to 237 Description: The issue is related to incorrect link resolution before file access in the systemd-tmpfiles daemon, allowing an attacker to bypass existing access restrictions and potentially disclose protected information. This can occur when the fs.protected hardlinks setting is disabled by an administrator and an attacker creates hard links to sensitive files. Local users can exploit this to change ownership or permissions of files they normally cannot access, such as the /etc/passwd file. Recommendations: For versions prior to 237, update to version 237 or later to resolve the issue. As a temporary workaround, consider enabling the fs.protected hardlinks sysctl to prevent the creation of hard links to sensitive files.

Name of the Vulnerable Software and Affected Versions: GNU Coreutils versions prior to 8.30 Description: The issue allows local users to modify the ownership of arbitrary files by leveraging a race condition when using the POSIX "-R -L" options in chown and chgrp. This occurs because chown-core.c does not prevent replacement of a plain file with a symlink. Recommendations: For GNU Coreutils versions prior to 8.30, update to version 8.30 or later to resolve the issue. As a temporary workaround, consider avoiding the use of the POSIX "-R -L" options in chown and chgrp until the update is applied.

**Name of the Vulnerable Software and Affected Versions** mail-filter/assp versions 1.9.8.13030 and earlier **Description** The issue allows local users to gain privileges by leveraging access to the assp user account. This can be achieved by installing a Trojan horse /usr/share/assp/assp.pl script. **Recommendations** For versions 1.9.8.13030 and earlier, update to a version later than 1.9.8.13030 to resolve the issue. As a temporary workaround, consider restricting access to the assp user account and monitoring the /usr/share/assp/assp.pl script for any unauthorized modifications.

**Name of the Vulnerable Software and Affected Versions** Gentoo net-misc/vde versions prior to 2.3.2-r4 **Description** The issue may allow members of the "qemu" group to gain root privileges by creating a hard link in a directory on which "chown" is called recursively by the OpenRC service script. **Recommendations** For versions prior to 2.3.2-r4, update to version 2.3.2-r4 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Gentoo dev-db/mysql versions prior to 2017-09-29 Gentoo dev-db/mariadb versions prior to 2017-09-29 Gentoo dev-db/percona-server versions prior to 2017-09-29 Gentoo dev-db/mysql-cluster versions prior to 2017-09-29 Gentoo dev-db/mariadb-galera versions prior to 2017-09-29 **Description** The issue allows local users to gain privileges by leveraging access to the mysql account for creation of a link, due to chown calls for user-writable directory trees in the installation scripts. **Recommendations** For Gentoo dev-db/mysql versions prior to 2017-09-29, update to a version released after 2017-09-29 to resolve the issue. For Gentoo dev-db/mariadb versions prior to 2017-09-29, update to a version released after 2017-09-29 to resolve the issue. For Gentoo dev-db/percona-server versions prior to 2017-09-29, update to a version released after 2017-09-29 to resolve the issue. For Gentoo dev-db/mysql-cluster versions prior to 2017-09-29, update to a version released after 2017-09-29 to resolve the issue. For Gentoo dev-db/mariadb-galera versions prior to 2017-09-29, update to a version released after 2017-09-29 to resolve the issue.