Executive Summary
Summary | |
---|---|
Title | New splitvt packages fix privilege escalation |
Informations | |||
---|---|---|---|
Name | DSA-1500 | First vendor Publication | 2008-02-21 |
Vendor | Debian | Last vendor Modification | 2008-02-21 |
Severity (Vendor) | N/A | Revision | 1 |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:L/AC:L/Au:N/C:C/I:C/A:C) | |||
---|---|---|---|
Cvss Base Score | 7.2 | Attack Range | Local |
Cvss Impact Score | 10 | Attack Complexity | Low |
Cvss Expoit Score | 3.9 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Mike Ashton discovered that splitvt, a utility to run two programs in a split screen, did not drop group privileges prior to executing 'xprop'. This could allow any local user to gain the privileges of group utmp. For the stable distribution (etch), this problem has been fixed in version 1.6.5-9etch1. For the unstable distribution (sid), this problem has been fixed in version 1.6.6-4. We recommend that you upgrade your splitvt package. |
Original Source
Url : http://www.debian.org/security/2008/dsa-1500 |
CAPEC : Common Attack Pattern Enumeration & Classification
Id | Name |
---|---|
CAPEC-69 | Target Programs with Elevated Privileges |
CAPEC-104 | Cross Zone Scripting |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
100 % | CWE-264 | Permissions, Privileges, and Access Controls |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:20008 | |||
Oval ID: | oval:org.mitre.oval:def:20008 | ||
Title: | DSA-1500-1 splitvt - privilege escalation | ||
Description: | Mike Ashton discovered that splitvt, a utility to run two programs in a split screen, did not drop group privileges prior to executing <q>xprop</q>. This could allow any local user to gain the privileges of group utmp. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-1500-1 CVE-2008-0162 | Version: | 5 |
Platform(s): | Debian GNU/Linux 4.0 | Product(s): | splitvt |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:8133 | |||
Oval ID: | oval:org.mitre.oval:def:8133 | ||
Title: | DSA-1500 splitvt -- privilege escalation | ||
Description: | Mike Ashton discovered that splitvt, a utility to run two programs in a split screen, did not drop group privileges prior to executing xprop. This could allow any local user to gain the privileges of group utmp. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-1500 CVE-2008-0162 | Version: | 3 |
Platform(s): | Debian GNU/Linux 4.0 | Product(s): | splitvt |
Definition Synopsis: | |||
|
CPE : Common Platform Enumeration
Type | Description | Count |
---|---|---|
Application | 3 |
OpenVAS Exploits
Date | Description |
---|---|
2008-09-24 | Name : Gentoo Security Advisory GLSA 200803-05 (splitvt) File : nvt/glsa_200803_05.nasl |
2008-02-28 | Name : Debian Security Advisory DSA 1500-1 (splitvt) File : nvt/deb_1500_1.nasl |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
42178 | splitvt misc.c xprop Handling Local Privilege Escalation |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2008-03-07 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-200803-05.nasl - Type : ACT_GATHER_INFO |
2008-02-25 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-1500.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-02-17 11:27:22 |
|