CVE-2010-4170

Name of the Vulnerable Software and Affected Versions systemtap versions 0.6.2 through 1.3 systemtap-runtime versions 0.6.2 through 1.1 systemtap-testsuite versions 0.6.2 through 1.1 systemtap-client versions 1.1 through 1.2 systemtap-server versions 1.1 systemtap-initscript versions 1.1 systemtap-debuginfo versions 1.2 systemtap-sdt-devel versions 1.1

Description The issue affects the systemtap package in Red Hat Enterprise Linux and CentOS operating systems. It allows local users to gain privileges by exploiting the vulnerability, potentially leading to a breach of confidentiality, integrity, and availability of protected information. The vulnerability can be exploited locally. The staprun runtime tool in SystemTap does not properly clear the environment before executing modprobe, which allows local users to gain privileges by setting the MODPROBE OPTIONS environment variable to specify a malicious configuration file.

Recommendations For systemtap versions 0.6.2 through 1.3, update to a version that contains a fix for this issue. For systemtap-runtime versions 0.6.2 through 1.1, update to a version that contains a fix for this issue. For systemtap-testsuite versions 0.6.2 through 1.1, update to a version that contains a fix for this issue. For systemtap-client versions 1.1 through 1.2, update to a version that contains a fix for this issue. For systemtap-server version 1.1, update to a version that contains a fix for this issue. For systemtap-initscript version 1.1, update to a version that contains a fix for this issue. For systemtap-debuginfo version 1.2, update to a version that contains a fix for this issue. For systemtap-sdt-devel version 1.1, update to a version that contains a fix for this issue. As a temporary workaround, consider restricting the use of the staprun runtime tool until a patch is available. Avoid using the MODPROBE OPTIONS environment variable in the affected systemtap package until the issue is resolved.