Title: GNOME libgtop_daemon Remote Format String Vulnerability
Severity: HIGH
Description:
The GNOME libgtop_daemon is used to monitor processes running on a remote Linux system running GNOME.
Under some conditions, when a remote connection fails, user supplied input is used as a format string within a log message. A malicious user may construct a string including format modifiers, causing stack information to be written to the log file, and possibly leading to remote execution of arbitrary code.
While the daemon will normally execute as the nobody user, successful exploitation of this vulnerability may lead to a local shell. From a local viewpoint, elevated privleges may be easier to obtain.
Older versions of libgtop_daemon may share this vulnerability.
Affected Products:
- Conectiva Linux 5.0.0
- Conectiva Linux 5.1.0
- Conectiva Linux 6.0.0
- Conectiva Linux 7.0.0
- Conectiva Linux ecommerce
- Conectiva Linux graficas
- GNOME libgtop_daemon 1.0.12
- GNOME libgtop_daemon 1.0.6
- GNOME libgtop_daemon 1.0.7
- GNOME libgtop_daemon 1.0.9
- MandrakeSoft Corporate Server 1.0.1
- MandrakeSoft Linux Mandrake 7.1.0
- MandrakeSoft Linux Mandrake 7.2.0
- MandrakeSoft Linux Mandrake 8.0.0
- MandrakeSoft Linux Mandrake 8.0.0 ppc
- MandrakeSoft Linux Mandrake 8.1.0
- MandrakeSoft Linux Mandrake 8.1.0 ia64
References:
- Home-Of-Linux.org: LibGTop
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
