<?xml version="1.0" encoding="utf-8"?> <!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> <glsa id="200404-06"> <title>Util-linux login may leak sensitive data</title> <synopsis> The login program included in util-linux could leak sensitive information under certain conditions. </synopsis> <product type="ebuild"> </product> <announced>2004-04-07</announced> <revised count="01">2004-04-07</revised> <bug>46422</bug> <access>remote</access> <affected> <package name="sys-apps/util-linux" auto="yes" arch="*"> <unaffected range="ge">2.12</unaffected> <vulnerable range="le">2.11</vulnerable> </package> </affected> <background> <p> Util-linux is a suite of essential system utilites, including login, agetty, fdisk. </p> </background> <description> <p> In some situations the login program could leak sensitive data due to an incorrect usage of a reallocated pointer. </p> <p> <b>NOTE:</b> Only users who have PAM support <b>disabled</b> on their systems (i.e. <i>-PAM</i> in their USE variable) will be affected by this vulnerability. By default, this USE flag is <b>enabled</b> on all architectures. Users with PAM support on their system receive login binaries as part of the pam-login package, which remains unaffected. </p> </description> <impact type="low"> <p> A remote attacker may obtain sensitive data. </p> </impact> <workaround> <p> A workaround is not currently known for this issue. All users are advised to upgrade to the latest version of the affected package. </p> </workaround> <resolution> <p> All util-linux users should upgrade to version 2.12 or later: </p> <code> # emerge sync # emerge -pv ">=sys-apps/util-linux-2.12" # emerge ">=sys-apps/util-linux-2.12" </code> </resolution> <references> <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0080">CAN-2004-0080</uri> </references> <metadata tag="submitter">lcars</metadata> </glsa>