Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 46422 - util-linux could leak sensitive data
Summary: util-linux could leak sensitive data
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: GLSA Errors (show other bugs)
Hardware: All Linux
: High critical (vote)
Assignee: Gentoo Security
URL: http://cve.mitre.org/cgi-bin/cvename....
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2004-03-31 16:33 UTC by Tobias Weisserth
Modified: 2004-04-07 10:37 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Tobias Weisserth 2004-03-31 16:33:53 UTC
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0080

The login program in util-linux 2.11 and earlier uses a pointer after it has been freed and reallocated, which could cause login to leak sensitive data.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0080 to this issue.

This seems to affect only older ebuilds.  Maybe we should mask them or remove them. I didn't find any reference that newer versions might be affected,

regards,
Tobias W.

Reproducible: Always
Steps to Reproduce:
Comment 1 Kurt Lieber (RETIRED) gentoo-dev 2004-03-31 22:57:28 UTC
looks like amd64 may be affected by this.  all other arches have >= 2.12 marked as stable.

amd64 -- can you see if >=2.12 can be marked stable?
Comment 2 Jon Portnoy (RETIRED) gentoo-dev 2004-03-31 23:01:14 UTC
Done.
Comment 3 Andrea Barisani (RETIRED) gentoo-dev 2004-04-07 08:16:50 UTC
It should be noted that login is usually installed from pam-login unless the pam USE flag is disabled.

btw here's the GLSA draft for review:

https://dev.gentoo.org/glsamaker/frame-view.php?id=29e61f37c42a2430a67cace8d6d36e89
Comment 4 Thierry Carrez (RETIRED) gentoo-dev 2004-04-07 08:43:34 UTC
GLSA on its way, changing product
Comment 5 Andrea Barisani (RETIRED) gentoo-dev 2004-04-07 10:37:40 UTC
GLSA sent.