util-linux: CVE-2008-1926 argument injection passed to audit

Debian Bug report logs - #478135
util-linux: CVE-2008-1926 argument injection passed to audit

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>

To: submit@bugs.debian.org

Subject: util-linux: CVE-2008-1926 argument injection passed to audit

Date: Sun, 27 Apr 2008 15:10:55 +0200

[Message part 1 (text/plain, inline)]

Package: util-linux
Severity: grave
Tags: security patch

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for util-linux.


CVE-2008-1926[0]:
| Argument injection vulnerability in login (login-utils/login.c) in
| util-linux-ng 2.14 and earlier makes it easier for remote attackers to
| hide activities by modifying portions of log events, as demonstrated
| by appending an "addr=" statement to the login name, aka "audit log
| injection."

Patch: 
http://git.kernel.org/?p=utils/util-linux-ng/util-linux-ng.git;a=commitdiff_plain;h=8ccf0b253ac0f4f58d64bc9674de18bff5a88782

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1926
    http://security-tracker.debian.net/tracker/CVE-2008-1926

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

[Message part 2 (application/pgp-signature, inline)]

Message #12 received at 478135-done@bugs.debian.org (full text, mbox, reply):

From: Steffen Joeris <steffen.joeris@skolelinux.de>

To: 478135-done@bugs.debian.org

Subject: patch is in the sid version

Date: Sun, 4 May 2008 16:26:13 +1000

[Message part 1 (text/plain, inline)]

fixed 478135 2.13.1.1-1

[signature.asc (application/pgp-signature, inline)]

Send a report that this bug log contains spam.