Debian Security Advisory
xlockmore -- possible shadow file compromise
- Date Reported:
- 16 Aug 2000
- Affected Packages:
- xlockmore, xlockmore-gl
- Vulnerable:
- Yes
- Security database references:
- In Mitre's CVE dictionary: CVE-2000-0763.
- More information:
- There is a format string bug in all versions of
xlockmore/xlockmore-gl. Debian GNU/Linux 2.1 (slink) installs xlock setgid by default,
and this exploit can be used to gain read access to the shadow file. We
recommend upgrading immediately.
xlockmore is normally installed as an unprivileged program in Debian GNU/Linux 2.2 (potato) and is not vulnerable in that configuration. xlockmore may be setuid/setgid for historical reasons or after upgrading from a previous Debian GNU/Linux release; consult README.Debian in /usr/doc/xlockmore or /usr/doc/xlockmore-gl for information about xlock privileges and how to disable them. If your local environment requires xlock to be setgid, or if in doubt, you should upgrade to a fixed package immediately.
Fixed packages are available in xlockmore/xlockmore-gl 4.12-5 for Debian GNU/Linux 2.1 (slink) and xlockmore/xlockmore-gl 4.15-9 for Debian GNU/Linux 2.2 (potato).
- Fixed in:
-
Debian GNU/Linux 2.1 (slink):
- Source:
- http://security.debian.org/dists/slink/updates/source/xlockmore_4.12-5.diff.gz
- http://security.debian.org/dists/slink/updates/source/xlockmore_4.12-5.dsc
- http://security.debian.org/dists/slink/updates/source/xlockmore_4.12.orig.tar.gz
- http://security.debian.org/dists/slink/updates/source/xlockmore_4.12-5.dsc
- alpha:
- http://security.debian.org/dists/slink/updates/binary-alpha/xlockmore-gl_4.12-5_alpha.deb
- http://security.debian.org/dists/slink/updates/binary-alpha/xlockmore_4.12-5_alpha.deb
- i386:
- http://security.debian.org/dists/slink/updates/binary-i386/xlockmore-gl_4.12-5_i386.deb
- http://security.debian.org/dists/slink/updates/binary-i386/xlockmore_4.12-5_i386.deb
- alpha:
- http://security.debian.org/dists/slink/updates/binary-m68k/xlockmore-gl_4.12-5_m68k.deb
- http://security.debian.org/dists/slink/updates/binary-m68k/xlockmore_4.12-5_m68k.deb
- sparc:
- http://security.debian.org/dists/slink/updates/binary-sparc/xlockmore-gl_4.12-5_sparc.deb
- http://security.debian.org/dists/slink/updates/binary-sparc/xlockmore_4.12-5_sparc.deb
Debian GNU/Linux 2.2 (potato):
- Source:
- http://security.debian.org/dists/potato/updates/main/source/xlockmore_4.15-9.diff.gz
- http://security.debian.org/dists/potato/updates/main/source/xlockmore_4.15-9.dsc
- http://security.debian.org/dists/potato/updates/main/source/xlockmore_4.15.orig.tar.gz
- http://security.debian.org/dists/potato/updates/main/source/xlockmore_4.15-9.dsc
- alpha:
- http://security.debian.org/dists/potato/updates/main/binary-alpha/xlockmore-gl_4.15-9_alpha.deb
- http://security.debian.org/dists/potato/updates/main/binary-alpha/xlockmore_4.15-9_alpha.deb
- arm:
- http://security.debian.org/dists/potato/updates/main/binary-arm/xlockmore-gl_4.15-9_arm.deb
- http://security.debian.org/dists/potato/updates/main/binary-arm/xlockmore_4.15-9_arm.deb
- i386:
- http://security.debian.org/dists/potato/updates/main/binary-i386/xlockmore-gl_4.15-9_i386.deb
- http://security.debian.org/dists/potato/updates/main/binary-i386/xlockmore_4.15-9_i386.deb
- m68k:
- http://security.debian.org/dists/potato/updates/main/binary-m68k/xlockmore-gl_4.15-9_m68k.deb
- http://security.debian.org/dists/potato/updates/main/binary-m68k/xlockmore_4.15-9_m68k.deb
- sparc:
- http://security.debian.org/dists/potato/updates/main/binary-sparc/xlockmore-gl_4.15-9_sparc.deb
- http://security.debian.org/dists/potato/updates/main/binary-sparc/xlockmore_4.15-9_sparc.deb
- powerpc:
- http://security.debian.org/dists/potato/updates/main/binary-powerpc/xlockmore-gl_4.15-9_powerpc.deb
- http://security.debian.org/dists/potato/updates/main/binary-powerpc/xlockmore_4.15-9_powerpc.deb