Debian 2.1: Security Advisory on Xlockmore Local Exploit
debian
August 17, 2000
There is a format string bug in all versions of xlockmore/xlockmore-gl.
Topics Covered
Summary
Package: xlockmore, xlockmore-gl
Vulnerability type: local exploit
Debian-specific: no
There is a format string bug in all versions of xlockmore/xlockmore-gl.
Debian 2.1 (slink) installs xlock setgid by default, and this exploit
can be used to gain read access to the shadow file. We recommend
upgrading immediately.
xlockmore is normally installed as an unprivileged program in Debian 2.2
(potato) and is not vulnerable in that configuration. xlockmore may be
setuid/setgid for historical reasons or after upgrading from a previous
Debian release; consult README.Debian in /usr/doc/xlockmore or
/usr/doc/xlockmore-gl for information about xlock privileges and how to
disable them. If your local environment requires xlock to be setgid, or
if in doubt, you should upgrade to a fixed package immediately.
Fixed packages are available in xlockmore/xlockmore-gl 4.12-5 for Debian
2.1 (slink) and xlockmore/xlockmore-gl 4.15-9 for Debian 2.2 (potato).
wget url
will fetch the file for you
dpkg -i file.deb
...
PREVIOUS
NEXT
Severity
critical
Lowest
Low
Medium
High
Critical
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Related News
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!