CVE-2008-1926

Publication date 24 April 2008

Last updated 24 July 2024

Ubuntu priority

Argument injection vulnerability in login (login-utils/login.c) in util-linux-ng 2.14 and earlier makes it easier for remote attackers to hide activities by modifying portions of log events, as demonstrated by appending an "addr=" statement to the login name, aka "audit log injection."

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
util-linux	8.10 intrepid	Not affected
	8.04 LTS hardy	Not affected
	7.10 gutsy	Not affected
	7.04 feisty	Ignored
	6.06 LTS dapper	Not affected

Notes

mdeslaur

this is the CVE-2007-3102 issue from openssh marking not-affected as we don't use login from the util-linux package. It's not compiled.

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
util-linux	Upstream: http://git.kernel.org/?p=utils/util-linux-ng/util-linux-ng.git;a=commit;h=8ccf0b253ac0f4f58d64bc9674de18bff5a88782 Vendor: http://git.debian.org/?p=users/lamont/util-linux.git;a=commit;h=ed485e1653dbe297f85e845256082ef13c797942

References

Other references

https://www.cve.org/CVERecord?id=CVE-2008-1926