Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » TurboLinux Advisory #TLSA2001002-1 (slocate-2.3-1)

TurboLinux Advisory #TLSA2001002-1 (slocate-2.3-1)

by Phiber on February 9th, 2001 There is a heap-corruption vulnerability existing in slocate. It can compromise slocate's ability to maintain an index of the entire file- system as well as its ability to read user-specified databases...


Secure Locate maintains an index of the entire filesystem, including
files only visible by root. The slocate binary is setgid "slocate"
so it can read this index. The heap-corruption vulnerability may com-
promise disclosure of these files if exploited.



When running slocate, users are able to specify a database of their own
as a commandline parameter. A subtle vulnerability exists in slocate's
reading of these user-supplied databases that may allow a local user to
execute arbitrary code with effective gid slocate.



Quick fix available in advisory file, so download it!



Download this advisory

or

Visit TurboLinux


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »