FreeBSD : zhcon -- unauthorized file access (d371b627-6ed5-11d9-bd18-000a95bc6fae)
Low Nessus Plugin ID 19132
SynopsisThe remote FreeBSD host is missing one or more security-related updates.
DescriptionMartin Joey Schulze reports :
Erik Sjound discovered that zhcon, a fast console CJK system using the Linux framebuffer, accesses a user-controlled configuration file with elevated privileges. Thus, it is possible to read arbitrary files.
When installed from the FreeBSD Ports Collection, zhcon is installed set-user-ID root.
SolutionUpdate the affected packages.