- Package name
- Advisory ID
- Affected versions
- 6.1 i586 , 6.0 i586 , 7.0 i586 , 7.1 i586
The usermode package contains the program userhelper which is used to control access to programs which are to be executed as root. Because programs invoked by userhelper are not actually running setuid-root, security measures built into recent versions of glibc are not active. If one of these programs supports internationalized text messages, a malicious user can use the LANG or LC_ALL environment variables (which are inherited by userhelper and any programs it runs) to create a format-string exploit in these programs. Linux-Mandrake ships an older version of usermode which is not vulnerable to this problem. Linux-Mandrake 7.2 beta contains the fixed usermode 1.36 as provided by Red Hat.