Bugtraq mailing list archives
Re: xlock vulnerability
From: Thomas Biege <thomas () SUSE DE>
Date: Fri, 18 Aug 2000 08:55:02 +0200
Hi, AFAIK xlock dropps it's priv's permanently on linux before this bug happens. I could be wrong, because the code includes alot of #ifdef, #else, #endif statements and I made an failure in parsing them. :( On SuSE Linux xlock is setgid shadow, so all an attacker gains by exploiting this bug is read access to /etc/shadow.... weak passwords is another problem. ;) nevertheless, we fixed it and the RPMs will be available ASAP. Have a nice weekend. Bye, Thomas -- Thomas Biege, SuSE GmbH, Schanzaeckerstr. 10, 90443 Nuernberg E@mail: thomas () suse de Function: Security Support & Auditing "lynx -source http://www.suse.de/~thomas/thomas.pgp | pgp -fka" Key fingerprint = 09 48 F2 FD 81 F7 E7 98 6D C7 36 F1 96 6A 12 47
Current thread:
- xlock vulnerability bind (Aug 16)
- <Possible follow-ups>
- Re: xlock vulnerability Thomas Biege (Aug 18)