CVE-2019-20373

NameCVE-2019-20373
DescriptionLTSP LDM through 2.18.06 allows fat-client root access because the LDM_USERNAME variable may have an empty value if the user's shell lacks support for Bourne shell syntax. This is related to a run-x-session script.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-2064-1, DSA-4601-1
NVD severityhigh
Debian Bugs948538

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
ldm (PTS)jessie2:2.2.15-2vulnerable
jessie (security)2:2.2.15-2+deb8u1fixed
stretch2:2.2.18-2vulnerable
stretch (security)2:2.2.18-2+deb9u1fixed
buster2:2.18.06-1vulnerable
buster (security)2:2.18.06-1+deb10u1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
ldmsource(unstable)(unfixed)948538
ldmsourcebuster2:2.18.06-1+deb10u1DSA-4601-1
ldmsourcejessie2:2.2.15-2+deb8u1DLA-2064-1
ldmsourcestretch2:2.2.18-2+deb9u1DSA-4601-1

Notes

https://git.launchpad.net/~ltsp-upstream/ltsp/+git/ldm/commit/?id=c351ac69ef63ed6c84221cef73e409059661b8ba
https://bugs.launchpad.net/ubuntu/+source/ldm/+bug/1839431

Search for package or bug name: Reporting problems