Debian: Moderate xmcd Buffer Overflow Advisory - Root Exploit Mitigated
debian
November 22, 2000
A buffer overflow in ncurses, linked to the "cda" binary, allowed a rootexploit
Topics Covered
Summary
The Debian GNU/Linux xmcd package has historically installed two setuid
helpers for accessing cddb databases and SCSI cdrom drives. More recently,
the package offered the administrator the chance to remove these setuid
flags, but did so incorrectly.
A buffer overflow in ncurses, linked to the "cda" binary, allowed a root
exploit. Fixed ncurses packages have been released, as well as fixed
xmcd packages which do not install this binary with a setuid flag.
The problem is fixed in xmcd 2.5pl1-7.1, and we recommend all users with
xmcd installed upgrade to this release. You may need to add users of xmcd
to the "audio" and "cdrom" groups in order for them to continue using xmcd.
Debian GNU/Linux 2.1 alias slink
Slink is no longer being supported by the Debian Security Team. We highly
recommend an upgrade to the current stable release.
Debian GNU/Linux 2.2 (stable) alias potato
Fixes are currently available for the Alpha, ARM, Intel ia32, Motorola 680x0,
PowerPC and Sun SPARC architectures, a...
PREVIOUS
NEXT
Severity
important
Lowest
Low
Medium
High
Critical
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Related News
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!