Gentoo Full Text Bug Listing

Bug 219202 - sys-apps/util-linux <2.13.1.1 Audit log argument injection (CVE-2008-1926)

Bug#: 219202 (CVE-2008-1926)	Product: Gentoo Security	Version: unspecified	Platform: All
OS/Version: Linux	Status: RESOLVED	Severity: minor	Priority: P2
Resolution: FIXED	Assigned To: security@gentoo.org	Reported By: rbu@gentoo.org
Component: Vulnerabilities
URL: http://git.kernel.org/?p=utils/util-linux-ng/util-linux-ng.git;a=commit;h=8ccf0b253ac0f4f58d64bc9674de18bff5a88782
Summary: sys-apps/util-linux <2.13.1.1 Audit log argument injection (CVE-2008-1926)
Keywords:
Status Whiteboard: A4? [noglsa]
Opened: 2008-04-24 21:47 0000

Description:

Opened: 2008-04-24 21:47 0000

CVE-2008-1926 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1926):
  Argument injection vulnerability in login (login-utils/login.c) in
  util-linux-ng 2.14 and earlier makes it easier for remote attackers to hide
  activities by modifying portions of log events, as demonstrated by appending
  an "addr=" statement to the login name, aka "audit log injection."

------- Comment #1 From SpanKY 2008-04-24 22:41:57 0000 -------

i already added util-linux-2.13.1.1 which contains the fix for this

------- Comment #2 From Robert Buchholz 2008-04-25 09:09:10 0000 -------

Arches, please test and mark stable:
=sys-apps/util-linux-2.13.1.1
Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 release s390 sh
sparc x86"

------- Comment #3 From Ferris McCormick 2008-04-25 13:01:35 0000 -------

Sparc stable, no problems seen.

------- Comment #4 From Jeroen Roovers 2008-04-25 14:05:03 0000 -------

Stable for HPPA.

------- Comment #5 From Raúl Porcel 2008-04-25 17:25:41 0000 -------

alpha/ia64/x86 stable

------- Comment #6 From Markus Rothe 2008-04-27 08:34:01 0000 -------

ppc64 stable

------- Comment #7 From Markus Meier 2008-04-27 12:37:38 0000 -------

amd64 stable

------- Comment #8 From Tobias Scherbaum 2008-04-28 17:01:35 0000 -------

ppc stable

------- Comment #9 From Peter Volkov 2008-04-29 06:31:40 0000 -------

Fixed in release snapshot.

------- Comment #10 From Robert Buchholz 2008-05-06 15:18:21 0000 -------

GLSA vote, I tend to vote no.

------- Comment #11 From Pierre-Yves Rofes 2008-05-07 22:42:37 0000 -------

I vote YES

------- Comment #12 From Sune Kloppenborg Jeppesen 2008-05-10 11:41:48 0000 -------

Voting NO.

------- Comment #13 From Pierre-Yves Rofes 2008-05-11 21:49:48 0000 -------

mmh ok, changing my vote and closing without GLSA.