2000-11-16 06:26:43

by Keith Owens

[permalink] [raw]
Subject: Announce: modutils 2.3.20 is available

Due to the recent modutils 2.3 local root exploits, anybody using
modutils 2.3 should upgrade to 2.3.20. That means everybody using 2.4

The security patch to modutils 2.3.19 only closed part of the exploit,
this version should close all known exploits. modutils still supports
meta expansion, including back quoted commands, but only for data read
from the configuration file. This assumes that when modutils is run as
root out of the kernel, normal users cannot specify their own
configuration files.


patch-modutils-2.3.20.bz2 Patch from modutils 2.3.19 to 2.3.20
modutils-2.3.20.tar.bz2 Source tarball, includes RPM spec file
modutils-2.3.20-1.src.rpm As above, in SRPM format
modutils-2.3.20-1.i386.rpm Compiled with egcs-2.91.66, glibc 2.1.2
modutils-2.3.20-1.sparc.rpm My first sparc rpm, handle with care.

Changelog extract

* Rewrite table generation code to make it easier to add new tables.
* usbmap uses zero vendor as wildcard, test more fields to find end of
table. Adam J. Richter.
* Off by one error in relocations. Jean-Francois Moine.
* Use tgt_long to handle different sizes in combined 32/64 bit
systems. Original patch by Dave Miller.
* Include module type in headers of generated files. Randy Dunlap.
* Add insmod -S (force kallsyms), clean up insmod parameters, man page.
* Clean up messages.
* Verify MODULE_PARM strings.
* Check for multiple well known symbols to get prefix.
* Security cleanup. Triggered by Bugtraq exploits by Michal Zalewski,
Sebastian Krahmer, Chris Evans. It is still the kernel's fault for
passing user data unchanged to a program running as root.
* Add missing s/390 arch_finalize_section_address. Roger Luethi.
* depmod -F supports strange sparc __export_priv_. Dave Miller.
* Sparc64 relocation patch. Redhat (not that they bothered to tell me).
* Sparc64 compile and link fixes. Me, with thanks to Dave Miller for
making a machine available.