On Wed, 16 Aug 2000, Kurt Seifried wrote:
You wanted to know what xlockmore is and why we shouldn't depend on /etc/shadow to be impenetrable? Admitedly SuSE uses klock <SNIP> From: "Michael Stone" <mstone@justice.loyola.edu> To: <debian-security-announce@lists.debian.org> Sent: Wednesday, August 16, 2000 10:31 PM Subject: [SECURITY] New version of xlockmore/xlockmore-gl released <SNIP>
There is a format string bug in all versions of xlockmore/xlockmore-gl. Debian 2.1 (slink) installs xlock setgid by default, and this exploit can be used to gain read access to the shadow file. We recommend upgrading immediately.
xlockmore is normally installed as an unprivileged program in Debian 2.2 (potato) and is not vulnerable in that configuration. xlockmore may be
In SuSE 6.3 xlock is sgid shadow. Does this mean it has the same vulnerability? Did I miss a security announcement? I did not see anything in the suse-update area under xap1. Has anyone made an rpm of xlock for SuSE that has an unprivileged binary? Would it be difficult to do? dproc