Family: Mandrake Local Security Checks --> Category: infos
MDKSA-2002:060: tcltk Vulnerability Scan
Vulnerability Scan Summary
Check for the version of the tcltk package
Detailed Explanation for this Vulnerability Test
The remote host is missing the patch for the advisory MDKSA-2002:060 (tcltk).
Some problems were discovered with the Tcl/Tk development environment. The
expect application would search for its libraries in /var/tmp prior to searching
in other directories, which could allow a local user to gain root privilege by
writing a trojan library and waiting for the root user to run the mkpasswd
utility. This is fixed in version 5.32 of expect. A similiar vulnerability has
been fixed in the tcltk package which searched for its libraries in the current
working directory prior to searching in other directories. This could be used to
execute arbitrary code by local users through the use of a trojan library.
Solution : http://wwwnew.mandriva.com/security/advisories?name=MDKSA-2002:060
Threat Level: High
Click HERE for more information and discussions on this network vulnerability scan.