This script is Copyright (C) 2012-2013 Tenable Network Security, Inc.
The remote Mandrake Linux host is missing a security update.
Xlock is an X11 utility used to lock X-Window displays until the
password of the user running X is entered correctly. Of course, in
order to perform the password-check xlock must be setuid root and have
access to the shadowed passwd file. In the xlockmore distributions
versions prior to 4.16.1, a buffer overflow vulnerability was present
in xlock that permitted a user to view parts of the shadowed passwd
file. This is achieved by overwriting (with an oversized -mode
argument) a global variable storing a pointer to a string printed in
the 'usage' output. The pointer would be overwritten with an address
pointing to the shadowed passwd data. With the long argument, xlock
would find and an error in the command syntax and exit, printing the
usage information (along with the shadowed passwd text).</p>
Update the affected xlockmore package.
Risk factor :
Get Nessus Professional to scan unlimited IPs, run compliance checks & moreBuy Nessus Professional Now