Debian Security Advisory

xlockmore -- possible shadow file compromise

Date Reported:

16 Aug 2000

Affected Packages:

xlockmore, xlockmore-gl

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2000-0763.

More information:

There is a format string bug in all versions of xlockmore/xlockmore-gl. Debian GNU/Linux 2.1 (slink) installs xlock setgid by default, and this exploit can be used to gain read access to the shadow file. We recommend upgrading immediately.

xlockmore is normally installed as an unprivileged program in Debian GNU/Linux 2.2 (potato) and is not vulnerable in that configuration. xlockmore may be setuid/setgid for historical reasons or after upgrading from a previous Debian GNU/Linux release; consult README.Debian in /usr/doc/xlockmore or /usr/doc/xlockmore-gl for information about xlock privileges and how to disable them. If your local environment requires xlock to be setgid, or if in doubt, you should upgrade to a fixed package immediately.

Fixed packages are available in xlockmore/xlockmore-gl 4.12-5 for Debian GNU/Linux 2.1 (slink) and xlockmore/xlockmore-gl 4.15-9 for Debian GNU/Linux 2.2 (potato).

Fixed in:

Debian GNU/Linux 2.1 (slink):

Source:: http://security.debian.org/dists/slink/updates/source/xlockmore_4.12-5.diff.gz; http://security.debian.org/dists/slink/updates/source/xlockmore_4.12-5.dsc; http://security.debian.org/dists/slink/updates/source/xlockmore_4.12.orig.tar.gz
alpha:: http://security.debian.org/dists/slink/updates/binary-alpha/xlockmore-gl_4.12-5_alpha.deb; http://security.debian.org/dists/slink/updates/binary-alpha/xlockmore_4.12-5_alpha.deb
i386:: http://security.debian.org/dists/slink/updates/binary-i386/xlockmore-gl_4.12-5_i386.deb; http://security.debian.org/dists/slink/updates/binary-i386/xlockmore_4.12-5_i386.deb
alpha:: http://security.debian.org/dists/slink/updates/binary-m68k/xlockmore-gl_4.12-5_m68k.deb; http://security.debian.org/dists/slink/updates/binary-m68k/xlockmore_4.12-5_m68k.deb
sparc:: http://security.debian.org/dists/slink/updates/binary-sparc/xlockmore-gl_4.12-5_sparc.deb; http://security.debian.org/dists/slink/updates/binary-sparc/xlockmore_4.12-5_sparc.deb

Debian GNU/Linux 2.2 (potato):

Source:: http://security.debian.org/dists/potato/updates/main/source/xlockmore_4.15-9.diff.gz; http://security.debian.org/dists/potato/updates/main/source/xlockmore_4.15-9.dsc; http://security.debian.org/dists/potato/updates/main/source/xlockmore_4.15.orig.tar.gz
alpha:: http://security.debian.org/dists/potato/updates/main/binary-alpha/xlockmore-gl_4.15-9_alpha.deb; http://security.debian.org/dists/potato/updates/main/binary-alpha/xlockmore_4.15-9_alpha.deb
arm:: http://security.debian.org/dists/potato/updates/main/binary-arm/xlockmore-gl_4.15-9_arm.deb; http://security.debian.org/dists/potato/updates/main/binary-arm/xlockmore_4.15-9_arm.deb
i386:: http://security.debian.org/dists/potato/updates/main/binary-i386/xlockmore-gl_4.15-9_i386.deb; http://security.debian.org/dists/potato/updates/main/binary-i386/xlockmore_4.15-9_i386.deb
m68k:: http://security.debian.org/dists/potato/updates/main/binary-m68k/xlockmore-gl_4.15-9_m68k.deb; http://security.debian.org/dists/potato/updates/main/binary-m68k/xlockmore_4.15-9_m68k.deb
sparc:: http://security.debian.org/dists/potato/updates/main/binary-sparc/xlockmore-gl_4.15-9_sparc.deb; http://security.debian.org/dists/potato/updates/main/binary-sparc/xlockmore_4.15-9_sparc.deb
powerpc:: http://security.debian.org/dists/potato/updates/main/binary-powerpc/xlockmore-gl_4.15-9_powerpc.deb; http://security.debian.org/dists/potato/updates/main/binary-powerpc/xlockmore_4.15-9_powerpc.deb