CVE-2008-1926
Published: 24 April 2008
Argument injection vulnerability in login (login-utils/login.c) in util-linux-ng 2.14 and earlier makes it easier for remote attackers to hide activities by modifying portions of log events, as demonstrated by appending an "addr=" statement to the login name, aka "audit log injection."
Notes
| Author | Note |
|---|---|
| mdeslaur | this is the CVE-2007-3102 issue from openssh marking not-affected as we don't use login from the util-linux package. It's not compiled. |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
util-linux Launchpad, Ubuntu, Debian |
dapper |
Not vulnerable
(code not present)
|
| feisty |
Ignored
(end of life, was needed)
|
|
| gutsy |
Not vulnerable
(not used)
|
|
| hardy |
Not vulnerable
(not used)
|
|
| intrepid |
Not vulnerable
(2.14-1ubuntu2)
|
|
| upstream |
Needs triage
|
|
|
Patches: upstream: http://git.kernel.org/?p=utils/util-linux-ng/util-linux-ng.git;a=commit;h=8ccf0b253ac0f4f58d64bc9674de18bff5a88782 vendor: http://git.debian.org/?p=users/lamont/util-linux.git;a=commit;h=ed485e1653dbe297f85e845256082ef13c797942 |
||