Vulnerability Note VU#111673
SGI IRIX "xfsdump" creates quota information files insecurely
A vulnerability exists in xfsdump on SGI IRIX. Exploitation of this vulnerability may allow a local attacker to gain root privileges. Because other operating systems ship with xfsdump, vendors other than SGI may be affected.
From the xfsdump man page:
xfsdump backs up files and their attributes in a filesystem. The files are dumped to storage media, a regular file, or standard output. Options allow the operator to have all files dumped, just files that have changed since a previous dump, or just files contained in a list of pathnames.
A local attacker may be able to gain superuser privileges.
Apply a patch from your vendor.
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Debian||Affected||10 Apr 2003||11 Apr 2003|
|MandrakeSoft||Affected||10 Apr 2003||16 Apr 2003|
|SGI||Affected||-||10 Apr 2003|
|Apple Computer Inc.||Not Affected||10 Apr 2003||14 Apr 2003|
|Foundry Networks Inc.||Not Affected||10 Apr 2003||11 Apr 2003|
|Hitachi||Not Affected||10 Apr 2003||14 Apr 2003|
|IBM||Not Affected||10 Apr 2003||16 Jun 2003|
|Ingrian Networks||Not Affected||10 Apr 2003||10 Apr 2003|
|NetBSD||Not Affected||10 Apr 2003||11 Apr 2003|
|Red Hat Inc.||Not Affected||10 Apr 2003||10 Apr 2003|
|Xerox Corporation||Not Affected||10 Apr 2003||30 May 2003|
|3Com||Unknown||10 Apr 2003||10 Apr 2003|
|Alcatel||Unknown||10 Apr 2003||10 Apr 2003|
|AT&T||Unknown||10 Apr 2003||10 Apr 2003|
|Avaya||Unknown||10 Apr 2003||10 Apr 2003|
CVSS Metrics (Learn More)
This vulnerability was discovered by Ethan Benson.
This document was written by Ian A Finlay.
- CVE IDs: CAN-2003-0173
- Date Public: 10 Apr 2003
- Date First Published: 10 Apr 2003
- Date Last Updated: 16 Jun 2003
- Severity Metric: 6.75
- Document Revision: 5
If you have feedback, comments, or additional information about this vulnerability, please send us email.