Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[ GLSA 200502-12 ] Webmin: Information leak in Gentoo binary package
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index News & Announcements
View previous topic :: View next topic  
Author Message
GLSA
Bodhisattva
Bodhisattva


Joined: 17 Apr 2002
Posts: 2602
Location: Raleigh, NC

PostPosted: Fri Feb 11, 2005 9:16 pm    Post subject: [ GLSA 200502-12 ] Webmin: Information leak in Gentoo binary Reply with quote

Gentoo Linux Security Advisory

Title: Webmin: Information leak in Gentoo binary package (GLSA 200502-12)
Severity: normal
Exploitable: remote
Date: February 11, 2005
Updated: May 22, 2006
Bug(s): #77731
ID: 200502-12

Synopsis

Portage-built Webmin binary packages accidentally include a file containing the local encrypted root password.

Background

Webmin is a web-based system administration console allowing an administrator to easily configure servers and other features. Using the 'buildpkg' FEATURE, or the -b/-B emerge options, Portage can build reusable binary packages for any of the packages available through the Portage tree.

Affected Packages

Package: app-admin/webmin
Vulnerable: < 1.170-r3
Unaffected: >= 1.170-r3
Architectures: All supported architectures


Description

Tavis Ormandy of the Gentoo Linux Security Audit Team discovered that the Webmin ebuild contains a design flaw. It imports the encrypted local root password into the miniserv.users file before building binary packages that include this file.

Impact

A remote attacker could retrieve Portage-built Webmin binary packages and recover the encrypted root password from the build host.

Workaround

Users who never built or shared a Webmin binary package are unaffected by this.

Resolution

Webmin users should delete any old shared Webmin binary package as soon as possible. They should also consider their buildhost root password potentially exposed and follow proper audit procedures. If you plan to build binary packages, you should upgrade to the latest version:
Code:
# emerge --sync
# emerge --ask --oneshot --verbose ">=app-admin/webmin-1.170-r3"


References

CVE-2005-0427


Last edited by GLSA on Fri Mar 30, 2007 4:16 am; edited 4 times in total
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index News & Announcements All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum