CVE-2008-1926

Publication date 24 April 2008

Last updated 24 July 2024

Ubuntu priority

Argument injection vulnerability in login (login-utils/login.c) in util-linux-ng 2.14 and earlier makes it easier for remote attackers to hide activities by modifying portions of log events, as demonstrated by appending an "addr=" statement to the login name, aka "audit log injection."

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
util-linux	8.10 intrepid	Not affected
	8.04 LTS hardy	Not affected
	7.10 gutsy	Not affected
	7.04 feisty	Ignored end of life, was needed
	6.06 LTS dapper	Not affected

Notes

mdeslaur

this is the CVE-2007-3102 issue from openssh marking not-affected as we don't use login from the util-linux package. It's not compiled.

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
util-linux	Upstream: http://git.kernel.org/?p=utils/util-linux-ng/util-linux-ng.git;a=commit;h=8ccf0b253ac0f4f58d64bc9674de18bff5a88782 Vendor: http://git.debian.org/?p=users/lamont/util-linux.git;a=commit;h=ed485e1653dbe297f85e845256082ef13c797942

References

Other references

https://www.cve.org/CVERecord?id=CVE-2008-1926