Synopsis: Moderate: systemtap security update
Issue date: 2010-11-17
CVE Names: CVE-2010-4170
It was discovered that staprun did not properly sanitize the environment
before executing the modprobe command to load an additional kernel
module. A local, unprivileged user could use this flaw to escalate their
privileges. (CVE-2010-4170)
Note: On Scientific Linux 4, an attacker must be a member of the
stapusr group to exploit this issue. Also note that, after installing
this update, users already in the stapdev group must be added to the
stapusr group in order to be able to run the staprun tool
SL 4.x
SRPMS:
systemtap-0.6.2-2.el4_8.3.src.rpm
i386:
systemtap-0.6.2-2.el4_8.3.i386.rpm
systemtap-runtime-0.6.2-2.el4_8.3.i386.rpm
systemtap-testsuite-0.6.2-2.el4_8.3.i386.rpm
x86_64:
systemtap-0.6.2-2.el4_8.3.x86_64.rpm
systemtap-runtime-0.6.2-2.el4_8.3.x86_64.rpm
systemtap-testsuite-0.6.2-2.el4_8.3.x86_64.rpm
-Connie Sieh
-Troy Dawson