cmd5checkpw: Local password leak vulnerability — GLSA 200502-30

cmd5checkpw contains a flaw allowing local users to access other users cmd5checkpw passwords.

Affected packages

net-mail/cmd5checkpw on all architectures
Affected versions <= 0.22-r1
Unaffected versions >= 0.22-r2

Background

cmd5checkpw is a checkpassword compatible authentication program that uses CRAM-MD5 authentication mode.

Description

Florian Westphal discovered that cmd5checkpw is installed setuid cmd5checkpw but does not drop privileges before calling execvp(), so the invoked program retains the cmd5checkpw euid.

Impact

Local users that know at least one valid /etc/poppasswd user/password combination can read the /etc/poppasswd file.

Workaround

There is no known workaround at this time.

Resolution

All cmd5checkpw users should upgrade to the latest available version:

 # emerge --sync 
 # emerge --ask --oneshot --verbose ">=net-mail/cmd5checkpw-0.22-r2"

References

Release date
February 25, 2005

Latest revision
May 22, 2006: 02

Severity
low

Exploitable
local

Bugzilla entries