Fw: [SECURITY] New version of xlockmore/xlockmore-gl released
You wanted to know what xlockmore is and why we shouldn't depend on /etc/shadow to be impenetrable? Admitedly SuSE uses klock http://www.suse.de/de/support/security/suse_security_announce_8.txt which had "By typing in a specific key sequence everyone could bypass the password athentication of klock." Kurt Seifried SecurityPortal, your focal point for security on the net http://www.securityportal.com/ ----- Original Message ----- From: "Michael Stone" <mstone@justice.loyola.edu> To: <debian-security-announce@lists.debian.org> Sent: Wednesday, August 16, 2000 10:31 PM Subject: [SECURITY] New version of xlockmore/xlockmore-gl released
-----BEGIN PGP SIGNED MESSAGE-----
- ------------------------------------------------------------------------ Debian Security Advisory security@debian.org http://www.debian.org/security/ Michael Stone August 16, 2000 - ------------------------------------------------------------------------
Package: xlockmore, xlockmore-gl Vulnerability type: local exploit Debian-specific: no
There is a format string bug in all versions of xlockmore/xlockmore-gl. Debian 2.1 (slink) installs xlock setgid by default, and this exploit can be used to gain read access to the shadow file. We recommend upgrading immediately.
xlockmore is normally installed as an unprivileged program in Debian 2.2 (potato) and is not vulnerable in that configuration. xlockmore may be setuid/setgid for historical reasons or after upgrading from a previous Debian release; consult README.Debian in /usr/doc/xlockmore or /usr/doc/xlockmore-gl for information about xlock privileges and how to disable them. If your local environment requires xlock to be setgid, or if in doubt, you should upgrade to a fixed package immediately.
Fixed packages are available in xlockmore/xlockmore-gl 4.12-5 for Debian 2.1 (slink) and xlockmore/xlockmore-gl 4.15-9 for Debian 2.2 (potato).
wget url will fetch the file for you dpkg -i file.deb will install the referenced file.
Debian GNU/Linux 2.1 alias slink - --------------------------------
Source archives:
http://security.debian.org/dists/slink/updates/source/xlockmore_4.12-5.diff. gz
MD5 checksum: e253bee3472f835e71e23994ead85dcf
http://security.debian.org/dists/slink/updates/source/xlockmore_4.12-5.dsc
MD5 checksum: acbf3f3310edca9ce20f5d4e720f3227
http://security.debian.org/dists/slink/updates/source/xlockmore_4.12.orig.ta r.gz
MD5 checksum: 110a594d89f3a2758255d0bba0e48217 Alpha architecture:
http://security.debian.org/dists/slink/updates/binary-alpha/xlockmore-gl_4.1 2-5_alpha.deb
MD5 checksum: d51723c04362213ca6f43d12db479a07
http://security.debian.org/dists/slink/updates/binary-alpha/xlockmore_4.12-5 _alpha.deb
MD5 checksum: 41878e3ba49152c5049cb9a394a41d14 Intel ia32 architecture:
http://security.debian.org/dists/slink/updates/binary-i386/xlockmore-gl_4.12 -5_i386.deb
MD5 checksum: 0d5c32ed8a834bb810ba421520f81dea
http://security.debian.org/dists/slink/updates/binary-i386/xlockmore_4.12-5_ i386.deb
MD5 checksum: ca34fd0732d82f2e4d176eb80f828cd8 Motorola 680x0 architecture: will be available shortly Sun Sparc architecture:
http://security.debian.org/dists/slink/updates/binary-sparc/xlockmore-gl_4.1 2-5_sparc.deb
MD5 checksum: 3ccfd6b2893e0e183eb1118c75fd57e4
http://security.debian.org/dists/slink/updates/binary-sparc/xlockmore_4.12-5 _sparc.deb
MD5 checksum: 002d7712d7be3a943e0b88f9263092b2
Debian GNU/Linux 2.2 alias potato - ---------------------------------
Source archives:
http://security.debian.org/dists/potato/updates/main/source/xlockmore_4.15-9 .diff.gz
MD5 checksum: 02f86bd315558ca32ca5a777d009c85f
http://security.debian.org/dists/potato/updates/main/source/xlockmore_4.15-9 .dsc
MD5 checksum: 377a392b2f6c711b5252fbfff822ce99
http://security.debian.org/dists/potato/updates/main/source/xlockmore_4.15.o rig.tar.gz
MD5 checksum: eceda376ee0a336063a46ec018c83d94 Alpha architecture:
http://security.debian.org/dists/potato/updates/main/binary-alpha/xlockmore- gl_4.15-9_alpha.deb
MD5 checksum: e620c4e0d3f4ecc7167b9f9897cd3971
http://security.debian.org/dists/potato/updates/main/binary-alpha/xlockmore_ 4.15-9_alpha.deb
MD5 checksum: 15e4be9f504873789c42ce0f283da707 Arm architecture:
http://security.debian.org/dists/potato/updates/main/binary-arm/xlockmore-gl _4.15-9_arm.deb
MD5 checksum: bb0f9cfb7a90f73a870ed529b51ef258
http://security.debian.org/dists/potato/updates/main/binary-arm/xlockmore_4. 15-9_arm.deb
MD5 checksum: e78be3e33bbc1ee68c01bef39be8997d Intel ia32 architecture:
http://security.debian.org/dists/potato/updates/main/binary-i386/xlockmore-g l_4.15-9_i386.deb
MD5 checksum: aed3a97f49cd0ea1464cefb6ef94b9ac
http://security.debian.org/dists/potato/updates/main/binary-i386/xlockmore_4 .15-9_i386.deb
MD5 checksum: 7a8ac4b5725bf3117b029ba31568817f Motorola 680x0 architecture: Will be available shortly PowerPC architecture: Will be available shortly Sun Sparc architecture:
http://security.debian.org/dists/potato/updates/main/binary-sparc/xlockmore- gl_4.15-9_sparc.deb
MD5 checksum: 3507476bbf9e625c06a4f52ffa81a1e8
http://security.debian.org/dists/potato/updates/main/binary-sparc/xlockmore_ 4.15-9_sparc.deb
MD5 checksum: 9ce55111c3a93744b62eb5f2d2291511
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.2 (GNU/Linux) Comment: For info see http://www.gnupg.org
iQCVAwUBOZtlzQ0hVr09l8FJAQGhqAQArn11m6LbQxYxvrt1VmrrEpCYpSKcCeQd LptDP6MkaD/8CvQHm7qYDyG/BD90UxkocLEmiRf53DvYYfaKEskyLXfKEoafMJAt /q4V6PslIP98sz0Q1ddLIq4x+mHgJpmsD69XqjxqNMhK9sqLXpJuSLA1HE08JOD5 LjEL+J5ISSo= =qN72 -----END PGP SIGNATURE-----
-- To UNSUBSCRIBE, email to debian-security-announce-request@lists.debian.org with a subject of "unsubscribe". Trouble? Contact
listmaster@lists.debian.org
On Wed, 16 Aug 2000, Kurt Seifried wrote:
You wanted to know what xlockmore is and why we shouldn't depend on /etc/shadow to be impenetrable? Admitedly SuSE uses klock <SNIP> From: "Michael Stone" <mstone@justice.loyola.edu> To: <debian-security-announce@lists.debian.org> Sent: Wednesday, August 16, 2000 10:31 PM Subject: [SECURITY] New version of xlockmore/xlockmore-gl released <SNIP>
There is a format string bug in all versions of xlockmore/xlockmore-gl. Debian 2.1 (slink) installs xlock setgid by default, and this exploit can be used to gain read access to the shadow file. We recommend upgrading immediately.
xlockmore is normally installed as an unprivileged program in Debian 2.2 (potato) and is not vulnerable in that configuration. xlockmore may be
In SuSE 6.3 xlock is sgid shadow. Does this mean it has the same vulnerability? Did I miss a security announcement? I did not see anything in the suse-update area under xap1. Has anyone made an rpm of xlock for SuSE that has an unprivileged binary? Would it be difficult to do? dproc
On Sun, 20 Aug 2000, dproc wrote:
On Wed, 16 Aug 2000, Kurt Seifried wrote:
You wanted to know what xlockmore is and why we shouldn't depend on /etc/shadow to be impenetrable? Admitedly SuSE uses klock <SNIP> From: "Michael Stone" <mstone@justice.loyola.edu> To: <debian-security-announce@lists.debian.org> Sent: Wednesday, August 16, 2000 10:31 PM Subject: [SECURITY] New version of xlockmore/xlockmore-gl released <SNIP>
There is a format string bug in all versions of xlockmore/xlockmore-gl. Debian 2.1 (slink) installs xlock setgid by default, and this exploit can be used to gain read access to the shadow file. We recommend upgrading immediately.
xlockmore is normally installed as an unprivileged program in Debian 2.2 (potato) and is not vulnerable in that configuration. xlockmore may be
In SuSE 6.3 xlock is sgid shadow. Does this mean it has the same vulnerability? Did I miss a security announcement? I did not see anything in the suse-update area under xap1.
AFAIK, xlock dropps SGID shadow before the bug could be exploited. Bye, Thomas -- Thomas Biege, SuSE GmbH, Schanzaeckerstr. 10, 90443 Nuernberg E@mail: thomas@suse.de Function: Security Support & Auditing "lynx -source http://www.suse.de/~thomas/thomas.pgp | pgp -fka" Key fingerprint = 09 48 F2 FD 81 F7 E7 98 6D C7 36 F1 96 6A 12 47
On Mon, 21 Aug 2000, Thomas Biege wrote:
xlockmore is normally installed as an unprivileged program in Debian 2.2 (potato) and is not vulnerable in that configuration. xlockmore may be
In SuSE 6.3 xlock is sgid shadow. Does this mean it has the same vulnerability? Did I miss a security announcement? I did not see anything in the suse-update area under xap1.
AFAIK, xlock dropps SGID shadow before the bug could be exploited.
This is good. There is always the next bug to find. Anyone know how Debian manage the trick of making it unprivileged? xlock manpage has one option which sounds pretty good - and that is to have an unprivileged crypt'd lock password. Oh dear - another password to remember. I notice that SuSE also has package xscrns (xscreensaver) which is suid root. I guess that, as I have not heard of anyone audit that for security, I had best delete that altogether. Before anyone says it, I suppose it is time for me to audit suid/sgid across my system. dproc
Hi On Mon, Aug 21, 2000 at 05:14:09PM -0400, dproc@dol.net wrote:
This is good. There is always the next bug to find. Anyone know how Debian manage the trick of making it unprivileged? Due to its linking against PAM xlock isn't needed anymore to run as setuid root, or?
Before anyone says it, I suppose it is time for me to audit suid/sgid across my system. There's also a tool called sxid for this one. ftp://marcus.seva.net/pub/sxid/ is its URL
MfG/Regards, Alexander -- Alexander Reelsen http://joker.rhwd.de ref@linux.com GnuPG: pub 1024D/F0D7313C sub 2048g/6AA2EDDB ar@rhwd.net 7D44 F4E3 1993 FDDF 552E 7C88 EE9C CBD1 F0D7 313C Securing Debian: http://joker.rhwd.de/doc/Securing-Debian-HOWTO
participants (5)
-
Alexander Reelsen -
dproc -
dproc@dol.net
-
Kurt Seifried -
Thomas Biege