Slackware Security Advisories
Slackware Logo

News

Security Advisories

FAQ

Book

General Info

Get Slack

Install Help

Configuration

Packages

ChangeLogs

Propaganda

Ports

Other Sites

Support

Contact

Mailing Lists

About

 
From: Slackware Security Team <security@slackware.com>
To: slackware-security@slackware.com
Subject: [slackware-security] root exploit with xlockmore fixed
Date: Mon, 23 Oct 2000 15:57:44 -0700 (PDT)
A root exploit has been found in xlockmore packaged with Slackware.  By
providing a carefully crafted display variable to xlock, it is possible
for a local attacker to gain root access.  Anyone running xlock on a
public machine should upgrade to this version of xlock (or disable xlock
altogether) immediately.

The package described below will work for users of Slackware 7.0, 7.1, and
-current.


   ===========================================
   xlockmore 4.17.2 AVAILABLE - (x1/xlock.tgz)
   ===========================================

      A root exploit has been fixed in this release of xlockmore.  The new
      xlock.tgz package is available from:

         ftp://ftp.slackware.com/pub/slackware/slackware-current/slakware/x1/xlock.tgz

      For verification purposes, we provide the following checksums:

         16-bit "sum" checksum:
         53857   762   x1/xlock.tgz

         128-bit MD5 message digest:
         ca171919342cd7a3e18a3ac3cd91e252  x1/xlock.tgz


      INSTALLATION INSTRUCTIONS FOR THE xlock.tgz PACKAGE:
      ---------------------------------------------------
      Disable any running xlockmore processes and issue this command:

         # upgradepkg xlock.tgz


Remember, it's also a good idea to backup configuration files before
upgrading packages.

- Slackware Linux Security Team
  http://www.slackware.com


+------------------------------------------------------------------------+
| HOW TO REMOVE YOURSELF FROM THIS MAILING LIST:                         |
+------------------------------------------------------------------------+
| Send an email to majordomo@slackware.com with this text in the body of |
| the email message:                                                     |
|                                                                        |
|   unsubscribe slackware-security                                       |
|                                                                        |
| You will get a confirmation message back.  Follow the instructions to  |
| complete the unsubscription.  Do not reply to this message to          |
| unsubscribe!                                                           |
+------------------------------------------------------------------------+


Slackware™ is a trademark of Patrick Volkerding.