1. Gentoo Linux Security Advisory
| Advisory Reference | GLSA 200710-25 / mldonkey |
| Release Date | October 24, 2007 |
| Latest Revision | November 07, 2007: 02 |
| Impact | high |
| Exploitable | remote |
| Package | Vulnerable versions | Unaffected versions | Architecture(s) |
| net-p2p/mldonkey | < 2.9.0-r3 | >= 2.9.0-r3 | All supported architectures |
Related bugreports: #189412
The Gentoo MLDonkey ebuild adds a user to the system with a valid login shell and no password.
MLDonkey is a peer-to-peer filesharing client that connects to several different peer-to-peer networks, including Overnet and BitTorrent.
The Gentoo MLDonkey ebuild adds a user to the system named "p2p" so that the MLDonkey service can run under a user with low privileges. With older Portage versions this user is created with a valid login shell and no password.
A remote attacker could log into a vulnerable system as the p2p user. This would require an installed login service that permitted empty passwords, such as SSH configured with the "PermitEmptyPasswords yes" option, a local login console, or a telnet server.
See Resolution.
Change the p2p user's shell to disallow login. For example, as root run the following command:
Code Listing 3.1: Resolution |
# usermod -s /bin/false p2p |
NOTE: updating to the current MLDonkey ebuild will not remove this vulnerability, it must be fixed manually. The updated ebuild is to prevent this problem from occurring in the future.