CVE-2008-1926
Published: 24 April 2008
Argument injection vulnerability in login (login-utils/login.c) in util-linux-ng 2.14 and earlier makes it easier for remote attackers to hide activities by modifying portions of log events, as demonstrated by appending an "addr=" statement to the login name, aka "audit log injection."
Notes
Author | Note |
---|---|
mdeslaur | this is the CVE-2007-3102 issue from openssh marking not-affected as we don't use login from the util-linux package. It's not compiled. |
Priority
Status
Package | Release | Status |
---|---|---|
util-linux Launchpad, Ubuntu, Debian |
dapper |
Not vulnerable
(code not present)
|
feisty |
Ignored
(end of life, was needed)
|
|
gutsy |
Not vulnerable
(not used)
|
|
hardy |
Not vulnerable
(not used)
|
|
intrepid |
Not vulnerable
(2.14-1ubuntu2)
|
|
upstream |
Needs triage
|
|
Patches: upstream: http://git.kernel.org/?p=utils/util-linux-ng/util-linux-ng.git;a=commit;h=8ccf0b253ac0f4f58d64bc9674de18bff5a88782 vendor: http://git.debian.org/?p=users/lamont/util-linux.git;a=commit;h=ed485e1653dbe297f85e845256082ef13c797942 |