Launchpad CVE tracker

CVE 2011-2922

ktsuss versions 1.4 and prior spawns the GTK interface to run as root. This can allow a local attacker to escalate privileges to root and use the "GTK_MODULES" environment variable to possibly execute arbitrary code.

Related bugs and status

CVE-2011-2922 (Candidate) is related to these bugs:

Bug #932107: ktsuss fails to change the effective UID back to the real UID

		In	Importance	Status
932107	ktsuss fails to change the effective UID back to the real UID	ktsuss (Ubuntu)	Undecided	Invalid
932107	ktsuss fails to change the effective UID back to the real UID	ktsuss (Ubuntu Lucid)	Undecided	Won't Fix
932107	ktsuss fails to change the effective UID back to the real UID	ktsuss (Ubuntu Maverick)	Undecided	Won't Fix
932107	ktsuss fails to change the effective UID back to the real UID	ktsuss (Ubuntu Natty)	Undecided	Won't Fix
932107	ktsuss fails to change the effective UID back to the real UID	ktsuss (Debian)	Unknown	Fix Released

Bug #932593: GTK interface runs as root and allows arbitrary code execution via the GTK_MODULES environmental variable.

Summary				In	Importance	Status
	932593	GTK interface runs as root and allows arbitrary code execution via the GTK_MODULES environmental variable.		ktsuss (Ubuntu)	Undecided	Triaged

See the

CVE page on Mitre.org for more details.

Launchpad.net

CVE 2011-2922

References