A quoting issue was found in chkrootkit which would lead to a file in /tmp/ being executed, if /tmp/ was mounted without the noexec option. chkrootkit is typically run as the root user. A local attacker could use this flaw to escalate their privileges.
The problematic part was:
file_port=$file_port $i
Which is changed to file_port="$file_port $i" to fix the issue. From the Debian diff:
--- chkrootkit-0.49.orig/debian/patches/CVE-2014-0476.patch +++ chkrootkit-0.49/debian/patches/CVE-2014-0476.patch @@ -0,0 +1,13 @@ +Index: chkrootkit/chkrootkit +=================================================================== +--- chkrootkit.orig/chkrootkit ++++ chkrootkit/chkrootkit +@@ -117,7 +117,7 @@ slapper (){ + fi + for i in ${SLAPPER_FILES}; do + if [ -f ${i} ]; then +- file_port=$file_port $i ++ file_port="$file_port $i" + STATUS=1 + fi + done
Acknowledgements:
Red Hat would like to thank Thomas Stangner for reporting this issue.
Please log in to add feedback.
This update has been submitted for testing by limb.
This update is currently being pushed to the Fedora EPEL 6 testing updates repository.
This update has been pushed to testing
This update has reached 14 days in testing and can be pushed to stable now if the maintainer wishes
This update has been submitted for stable by limb.
This update is currently being pushed to the Fedora EPEL 6 stable updates repository.
This update has been pushed to stable