Updated kernel-utils packages fix setuid vulnerability
|Last updated on:||2003-02-07|
|Affected Products:||Red Hat Linux 8.0|
An updated kernel-utils package is available that removes the setuid bits
incorrectly assigned to the uml_net binary.
The kernel-utils package contains several utilities that can be used to
control the kernel or machine hardware.
The uml_net utility, a user mode linux (UML) utility, in the kernel-utils
packages that shipped with Red Hat Linux 8.0 incorrectly sets its uid to
the root user. This could allow local users to control certain network
interfaces, add and remove arp entries and routes, and put interfaces in
and out of promiscuous mode.
All users of the kernel-utils package should update to these errata
packages which contain a version of uml_net which does not setuid root.
Alternatively, as a work-around to this vulnerability, an administrator can
issue the following command as root:
chmod -s /usr/bin/uml_net
Red Hat would like to thank Johnny Robertson for alerting us to this issue.
relevant to your system have been applied.
To update all RPMs for your particular architecture, run:
rpm -Fvh [filenames]
Note that this update is also available via Red Hat Network. Many
people find this to be an easier way to apply updates. To use Red Hat
Network, launch the Red Hat Update Agent with the following command:
This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.
Note that you must select kernel-utils explicitly on default configurations
|Red Hat Linux 8.0|
Bugs fixed (see bugzilla for more information)
83685 - uml_net executable allows users to do bad things
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from: