Andries Brouwer: >> Util-Linux Security Vulnerabilities
login in util-linux-2.12a skips pam_acct_mgmt and chauth_tok when authentication is skipped, such as when a Kerberos krlogin session has been established, which might allow users to bypass intended access policies that would be enforced by pam_acct_mgmt and chauth_tok.
CVSS Score
4.1
EPSS Score
0.001
Published
2007-03-04
umount in util-linux 2.8 to 2.12q, 2.13-pre1, and 2.13-pre2, and other packages such as loop-aes-utils, allows local users with unmount permissions to gain privileges via the -r (remount) option, which causes the file system to be remounted with just the read-only flag, which effectively clears the nosuid, nodev, and other flags.
CVSS Score
7.2
EPSS Score
0.0
Published
2005-09-13
The login program in util-linux 2.11 and earlier uses a pointer after it has been freed and reallocated, which could cause login to leak sensitive data.
CVSS Score
5.0
EPSS Score
0.016
Published
2004-03-03
A patch for mcookie in the util-linux package for Mandrake Linux 8.2 and 9.0 uses /dev/urandom instead of /dev/random, which causes mcookie to use an entropy source that is more predictable than expected, which may make it easier for certain types of attacks to succeed.
CVSS Score
5.0
EPSS Score
0.003
Published
2003-03-03
vipw in the util-linux package before 2.10 causes /etc/shadow to be world-readable in some cases, which would make it easier for local users to perform brute force password guessing.
CVSS Score
7.2
EPSS Score
0.0
Published
2002-04-01
The PAM implementation in /bin/login of the util-linux package before 2.11 causes a password entry to be rewritten across multiple PAM calls, which could provide the credentials of one user to a different user, when used in certain PAM modules such as pam_limits.
CVSS Score
7.2
EPSS Score
0.001
Published
2001-10-08