Title: Gentoo Portage-Built Webmin Binary Package Build Host Root Password Disclosure Vulnerability
Severity: CRITICAL
Description:
Portage is the package management system, based on rsync that is used by Gentoo Linux. Portage can build reusable binary packages for packages available through the Portage tree by using the 'buildpkg' feature or the -b/-B emerge options.
It is reported that the Gentoo Portage-built Webmin binary package discloses the build host's root password to remote users. Apparently, the Webmin ebuild places the encrypted root password in the 'miniserv.users' file and includes this file in the binary. The password can be disclosed to users who obtain the Webmin binary packages from the build host.
Any users who build the affected Webmin binary and share it with other users are at a risk of compromise.
Gentoo app-admin/webmin packages prior to 1.170-r3 are vulnerable to this issue.
Affected Products:
- Gentoo webmin-1.140.ebuild 0.0.0
- Gentoo webmin-1.150.ebuild 0.0.0
- Gentoo webmin-1.160.ebuild 0.0.0
- Gentoo webmin-1.170-r1.ebuild 0.0.0
- Gentoo webmin-1.170-r2.ebuild 0.0.0
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
