Debian: xlockmore vulnerability

    Date17 Aug 2000
    CategoryDebian
    3480
    Posted ByLinuxSecurity Advisories
    There is a format string bug in all versions of xlockmore/xlockmore-gl.
    -----BEGIN PGP SIGNED MESSAGE-----
    
    - ------------------------------------------------------------------------
    Debian Security Advisory                             This email address is being protected from spambots. You need JavaScript enabled to view it. 
    http://www.debian.org/security/                            Michael Stone
    August 16, 2000
    - ------------------------------------------------------------------------
    
    Package: xlockmore, xlockmore-gl
    Vulnerability type: local exploit
    Debian-specific: no
    
    There is a format string bug in all versions of xlockmore/xlockmore-gl.
    Debian 2.1 (slink) installs xlock setgid by default, and this exploit
    can be used to gain read access to the shadow file. We recommend
    upgrading immediately.
    
    xlockmore is normally installed as an unprivileged program in Debian 2.2
    (potato) and is not vulnerable in that configuration. xlockmore may be
    setuid/setgid for historical reasons or after upgrading from a previous
    Debian release; consult README.Debian in /usr/doc/xlockmore or
    /usr/doc/xlockmore-gl for information about xlock privileges and how to
    disable them. If your local environment requires xlock to be setgid, or
    if in doubt, you should upgrade to a fixed package immediately.
    
    Fixed packages are available in xlockmore/xlockmore-gl 4.12-5 for Debian
    2.1 (slink) and xlockmore/xlockmore-gl 4.15-9 for Debian 2.2 (potato). 
    
    wget url
            will fetch the file for you
    dpkg -i file.deb
            will install the referenced file.
    
    
    Debian GNU/Linux 2.1 alias slink
    - --------------------------------
    
      Source archives:
        
    http://security.debian.org/dists/slink/updates/source/xlockmore_4.12-5.diff.gz
          MD5 checksum: e253bee3472f835e71e23994ead85dcf
         http://security.debian.org/dists/slink/updates/source/xlockmore_4.12-5.dsc
          MD5 checksum: acbf3f3310edca9ce20f5d4e720f3227
        
    http://security.debian.org/dists/slink/updates/source/xlockmore_4.12.orig.tar.gz
          MD5 checksum: 110a594d89f3a2758255d0bba0e48217
      Alpha architecture:
     
    http://security.debian.org/dists/slink/updates/binary-alpha/xlockmore-gl_4.12-5_alpha.deb
          MD5 checksum: d51723c04362213ca6f43d12db479a07
        
    http://security.debian.org/dists/slink/updates/binary-alpha/xlockmore_4.12-5_alpha.deb
          MD5 checksum: 41878e3ba49152c5049cb9a394a41d14
      Intel ia32 architecture:
        
    http://security.debian.org/dists/slink/updates/binary-i386/xlockmore-gl_4.12-5_i386.deb
          MD5 checksum: 0d5c32ed8a834bb810ba421520f81dea
        
    http://security.debian.org/dists/slink/updates/binary-i386/xlockmore_4.12-5_i386.deb
          MD5 checksum: ca34fd0732d82f2e4d176eb80f828cd8
      Motorola 680x0 architecture:
        will be available shortly
      Sun Sparc architecture:
        
    http://security.debian.org/dists/slink/updates/binary-sparc/xlockmore-gl_4.12-5_sparc.deb
          MD5 checksum: 3ccfd6b2893e0e183eb1118c75fd57e4
        
    http://security.debian.org/dists/slink/updates/binary-sparc/xlockmore_4.12-5_sparc.deb
          MD5 checksum: 002d7712d7be3a943e0b88f9263092b2
    
    
    Debian GNU/Linux 2.2 alias potato
    - ---------------------------------
    
      Source archives:
     
    http://security.debian.org/dists/potato/updates/main/source/xlockmore_4.15-9.diff.gz
          MD5 checksum: 02f86bd315558ca32ca5a777d009c85f
        
    http://security.debian.org/dists/potato/updates/main/source/xlockmore_4.15-9.dsc
          MD5 checksum: 377a392b2f6c711b5252fbfff822ce99
        
    http://security.debian.org/dists/potato/updates/main/source/xlockmore_4.15.orig.tar.gz
          MD5 checksum: eceda376ee0a336063a46ec018c83d94
      Alpha architecture:
        
    http://security.debian.org/dists/potato/updates/main/binary-alpha/xlockmore-gl_4.15-9_alpha.deb
          MD5 checksum: e620c4e0d3f4ecc7167b9f9897cd3971
        
    http://security.debian.org/dists/potato/updates/main/binary-alpha/xlockmore_4.15-9_alpha.deb
          MD5 checksum: 15e4be9f504873789c42ce0f283da707
      Arm architecture:
        
    http://security.debian.org/dists/potato/updates/main/binary-arm/xlockmore-gl_4.15-9_arm.deb
          MD5 checksum: bb0f9cfb7a90f73a870ed529b51ef258
        
    http://security.debian.org/dists/potato/updates/main/binary-arm/xlockmore_4.15-9_arm.deb
          MD5 checksum: e78be3e33bbc1ee68c01bef39be8997d
      Intel ia32 architecture:
        
    http://security.debian.org/dists/potato/updates/main/binary-i386/xlockmore-gl_4.15-9_i386.deb
          MD5 checksum: aed3a97f49cd0ea1464cefb6ef94b9ac
        
    http://security.debian.org/dists/potato/updates/main/binary-i386/xlockmore_4.15-9_i386.deb
          MD5 checksum: 7a8ac4b5725bf3117b029ba31568817f
      Motorola 680x0 architecture:
        Will be available shortly
      PowerPC architecture:
        Will be available shortly
      Sun Sparc architecture:
        
    http://security.debian.org/dists/potato/updates/main/binary-sparc/xlockmore-gl_4.15-9_sparc.deb
          MD5 checksum: 3507476bbf9e625c06a4f52ffa81a1e8
        
    http://security.debian.org/dists/potato/updates/main/binary-sparc/xlockmore_4.15-9_sparc.deb
          MD5 checksum: 9ce55111c3a93744b62eb5f2d2291511
    
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.0.2 (GNU/Linux)
    Comment: For info see  http://www.gnupg.org
    
    iQCVAwUBOZtlzQ0hVr09l8FJAQGhqAQArn11m6LbQxYxvrt1VmrrEpCYpSKcCeQd
    LptDP6MkaD/8CvQHm7qYDyG/BD90UxkocLEmiRf53DvYYfaKEskyLXfKEoafMJAt
    /q4V6PslIP98sz0Q1ddLIq4x+mHgJpmsD69XqjxqNMhK9sqLXpJuSLA1HE08JOD5
    LjEL+J5ISSo=
    =qN72
    -----END PGP SIGNATURE-----
    
    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    What do you think of the articles on LinuxSecurity?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/24-what-do-you-think-of-the-quality-of-the-articles-on-linuxsecurity?task=poll.vote&format=json
    24
    radio
    [{"id":"87","title":"Excellent, don't change a thing!","votes":"25","type":"x","order":"1","pct":55.56,"resources":[]},{"id":"88","title":"Should be more technical","votes":"5","type":"x","order":"2","pct":11.11,"resources":[]},{"id":"89","title":"Should include more HOWTOs","votes":"15","type":"x","order":"3","pct":33.33,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.