Debian Security Advisory

xlockmore -- possible shadow file compromise

Date Reported:
16 Aug 2000
Affected Packages:
xlockmore, xlockmore-gl
Vulnerable:
Yes
Security database references:
In Mitre's CVE dictionary: CVE-2000-0763.
More information:
There is a format string bug in all versions of xlockmore/xlockmore-gl. Debian GNU/Linux 2.1 (slink) installs xlock setgid by default, and this exploit can be used to gain read access to the shadow file. We recommend upgrading immediately.

xlockmore is normally installed as an unprivileged program in Debian GNU/Linux 2.2 (potato) and is not vulnerable in that configuration. xlockmore may be setuid/setgid for historical reasons or after upgrading from a previous Debian GNU/Linux release; consult README.Debian in /usr/doc/xlockmore or /usr/doc/xlockmore-gl for information about xlock privileges and how to disable them. If your local environment requires xlock to be setgid, or if in doubt, you should upgrade to a fixed package immediately.

Fixed packages are available in xlockmore/xlockmore-gl 4.12-5 for Debian GNU/Linux 2.1 (slink) and xlockmore/xlockmore-gl 4.15-9 for Debian GNU/Linux 2.2 (potato).

Fixed in:

Debian GNU/Linux 2.1 (slink):

Source:
http://security.debian.org/dists/slink/updates/source/xlockmore_4.12-5.diff.gz
http://security.debian.org/dists/slink/updates/source/xlockmore_4.12-5.dsc
http://security.debian.org/dists/slink/updates/source/xlockmore_4.12.orig.tar.gz
alpha:
http://security.debian.org/dists/slink/updates/binary-alpha/xlockmore-gl_4.12-5_alpha.deb
http://security.debian.org/dists/slink/updates/binary-alpha/xlockmore_4.12-5_alpha.deb
i386:
http://security.debian.org/dists/slink/updates/binary-i386/xlockmore-gl_4.12-5_i386.deb
http://security.debian.org/dists/slink/updates/binary-i386/xlockmore_4.12-5_i386.deb
alpha:
http://security.debian.org/dists/slink/updates/binary-m68k/xlockmore-gl_4.12-5_m68k.deb
http://security.debian.org/dists/slink/updates/binary-m68k/xlockmore_4.12-5_m68k.deb
sparc:
http://security.debian.org/dists/slink/updates/binary-sparc/xlockmore-gl_4.12-5_sparc.deb
http://security.debian.org/dists/slink/updates/binary-sparc/xlockmore_4.12-5_sparc.deb

Debian GNU/Linux 2.2 (potato):

Source:
http://security.debian.org/dists/potato/updates/main/source/xlockmore_4.15-9.diff.gz
http://security.debian.org/dists/potato/updates/main/source/xlockmore_4.15-9.dsc
http://security.debian.org/dists/potato/updates/main/source/xlockmore_4.15.orig.tar.gz
alpha:
http://security.debian.org/dists/potato/updates/main/binary-alpha/xlockmore-gl_4.15-9_alpha.deb
http://security.debian.org/dists/potato/updates/main/binary-alpha/xlockmore_4.15-9_alpha.deb
arm:
http://security.debian.org/dists/potato/updates/main/binary-arm/xlockmore-gl_4.15-9_arm.deb
http://security.debian.org/dists/potato/updates/main/binary-arm/xlockmore_4.15-9_arm.deb
i386:
http://security.debian.org/dists/potato/updates/main/binary-i386/xlockmore-gl_4.15-9_i386.deb
http://security.debian.org/dists/potato/updates/main/binary-i386/xlockmore_4.15-9_i386.deb
m68k:
http://security.debian.org/dists/potato/updates/main/binary-m68k/xlockmore-gl_4.15-9_m68k.deb
http://security.debian.org/dists/potato/updates/main/binary-m68k/xlockmore_4.15-9_m68k.deb
sparc:
http://security.debian.org/dists/potato/updates/main/binary-sparc/xlockmore-gl_4.15-9_sparc.deb
http://security.debian.org/dists/potato/updates/main/binary-sparc/xlockmore_4.15-9_sparc.deb
powerpc:
http://security.debian.org/dists/potato/updates/main/binary-powerpc/xlockmore-gl_4.15-9_powerpc.deb
http://security.debian.org/dists/potato/updates/main/binary-powerpc/xlockmore_4.15-9_powerpc.deb