CVE-2007-1507 Information
Description
The default configuration in OpenAFS 1.4.x before 1.4.4 and 1.5.x before 1.5.17 supports setuid programs within the local cell which might allow attackers to gain privileges by spoofing a response to an AFS cache manager FetchStatus request and setting setuid and root ownership for files in the cache.
Reference
http://secunia.com/advisories/24582 http://secunia.com/advisories/24599 http://secunia.com/advisories/24607 http://secunia.com/advisories/24720 http://security.gentoo.org/glsa/glsa-200704-03.xml http://www.debian.org/security/2007/dsa-1271 http://www.mandriva.com/security/advisories?name=MDKSA-2007:066 http://www.openafs.org/pipermail/openafs-announce/2007/000185.html http://www.openafs.org/pipermail/openafs-announce/2007/000186.html http://www.openafs.org/pipermail/openafs-announce/2007/000187.html http://www.securityfocus.com/bid/23060 http://www.securitytracker.com/id?1017807 http://www.vupen.com/english/advisories/2007/1033 https://exchange.xforce.ibmcloud.com/vulnerabilities/33180
Share on: