GIMPS, SETI@home, ChessBrain: Insecure installation — GLSA 200411-26

Improper file ownership allows user-owned files to be run with root privileges by init scripts.

Affected packages

sci-misc/gimps on all architectures
Affected versions <= 23.9
Unaffected versions >= 23.9-r1
sci-misc/setiathome on all architectures
Affected versions <= 3.08-r3
Unaffected versions >= 3.08-r4
revision >= 3.03-r2
sci-misc/chessbrain on all architectures
Affected versions <= 20407
Unaffected versions >= 20407-r1

Background

GIMPS is a client for the distributed Great Internet Mersenne Prime Search. SETI@home is the client for the Search for Extraterrestrial Intelligence (SETI) project. ChessBrain is the client for the distributed chess supercomputer.

Description

GIMPS, SETI@home and ChessBrain ebuilds install user-owned binaries and init scripts which are executed with root privileges.

Impact

This could lead to a local privilege escalation or root compromise.

Workaround

There is no known workaround at this time.

Resolution

All GIMPS users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=sci-misc/gimps-23.9-r1"

All SETI@home users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=sci-misc/setiathome-3.03-r2"

All ChessBrain users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=sci-misc/chessbrain-20407-r1"

References

Release date
November 17, 2004

Latest revision
May 22, 2006: 03

Severity
high

Exploitable
local

Bugzilla entries