CVE-2019-20373

NameCVE-2019-20373
DescriptionLTSP LDM through 2.18.06 allows fat-client root access because the LDM_USERNAME variable may have an empty value if the user's shell lacks support for Bourne shell syntax. This is related to a run-x-session script.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-2064-1, DSA-4601-1
Debian Bugs948538

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
ldm (PTS)buster, buster (security)2:2.18.06-1+deb10u1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
ldmsourcejessie2:2.2.15-2+deb8u1DLA-2064-1
ldmsourcestretch2:2.2.18-2+deb9u1DSA-4601-1
ldmsourcebuster2:2.18.06-1+deb10u1DSA-4601-1
ldmsource(unstable)(unfixed)948538

Notes

https://git.launchpad.net/~ltsp-upstream/ltsp/+git/ldm/commit/?id=c351ac69ef63ed6c84221cef73e409059661b8ba
https://bugs.launchpad.net/ubuntu/+source/ldm/+bug/1839431
Search for package or bug name: Reporting problems