Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: xlock vulnerability

From: Thomas Biege <thomas () SUSE DE>
Date: Fri, 18 Aug 2000 08:55:02 +0200
Hi,
AFAIK xlock dropps it's priv's permanently on linux before this bug
happens.

I could be wrong, because the code includes alot of #ifdef, #else, #endif
statements and I made an failure in parsing them. :(

On SuSE Linux xlock is setgid shadow, so all an attacker gains by
exploiting this bug is read access to /etc/shadow.... weak passwords is
another problem. ;)

nevertheless, we fixed it and the RPMs will be available ASAP.

Have a nice weekend.

Bye,
     Thomas
--
  Thomas Biege, SuSE GmbH, Schanzaeckerstr. 10, 90443 Nuernberg
  E@mail: thomas () suse de      Function: Security Support & Auditing
  "lynx -source http://www.suse.de/~thomas/thomas.pgp | pgp -fka"
   Key fingerprint = 09 48 F2 FD 81 F7 E7 98  6D C7 36 F1 96 6A 12 47
Previous By Date Next
Previous By Thread Next

Current thread: