Debian GATOS xatitv Initialization Privilege Escalation

2004-05-31T03:57:18
ID OSVDB:6501
Type osvdb
Reporter Steve Kemp()
Modified 2004-05-31T03:57:18

Description

Vulnerability Description

Debian Gatos contains a flaw that may allow a malicious user to gain access to unauthorized privileges. The issue is triggered when an administrator removes the Gates default configuration file, root privileges are not dropped on xativ initialization, and xatitv executes the system(3) function to launch its configuration program without sanitizing user-supplied environment variables. This flaw may lead to a loss of Confidentiality.

Solution Description

Upgrade to version version 0.0.5-6woody1 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

Debian Gatos contains a flaw that may allow a malicious user to gain access to unauthorized privileges. The issue is triggered when an administrator removes the Gates default configuration file, root privileges are not dropped on xativ initialization, and xatitv executes the system(3) function to launch its configuration program without sanitizing user-supplied environment variables. This flaw may lead to a loss of Confidentiality.

References:

Vendor Specific Advisory URL Secunia Advisory ID:11738 ISS X-Force ID: 16273 CVE-2004-0395 Bugtraq ID: 10437