On Sun, 20 Aug 2000, dproc wrote:
On Wed, 16 Aug 2000, Kurt Seifried wrote:
You wanted to know what xlockmore is and why we shouldn't depend on /etc/shadow to be impenetrable? Admitedly SuSE uses klock <SNIP> From: "Michael Stone" <mstone@justice.loyola.edu> To: <debian-security-announce@lists.debian.org> Sent: Wednesday, August 16, 2000 10:31 PM Subject: [SECURITY] New version of xlockmore/xlockmore-gl released <SNIP>
There is a format string bug in all versions of xlockmore/xlockmore-gl. Debian 2.1 (slink) installs xlock setgid by default, and this exploit can be used to gain read access to the shadow file. We recommend upgrading immediately.
xlockmore is normally installed as an unprivileged program in Debian 2.2 (potato) and is not vulnerable in that configuration. xlockmore may be
In SuSE 6.3 xlock is sgid shadow. Does this mean it has the same vulnerability? Did I miss a security announcement? I did not see anything in the suse-update area under xap1.
AFAIK, xlock dropps SGID shadow before the bug could be exploited. Bye, Thomas -- Thomas Biege, SuSE GmbH, Schanzaeckerstr. 10, 90443 Nuernberg E@mail: thomas@suse.de Function: Security Support & Auditing "lynx -source http://www.suse.de/~thomas/thomas.pgp | pgp -fka" Key fingerprint = 09 48 F2 FD 81 F7 E7 98 6D C7 36 F1 96 6A 12 47