From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i586; en-US; rv:1.4.2) Gecko/20040308 Description of problem: I was doing a code audit of the latest version of utempter and I have spotted a bug. In utempter.c around line 27 is: if (strstr(device, "/../") || strstr(device, "/./") || strstr(device, "//")) { fprintf(stderr, "a simple path is required\n"); } I think an exit was omitted. I think it should have been: if (strstr(device, "/../") || strstr(device, "/./") || strstr(device, "//")) { fprintf(stderr, "a simple path is required\n"); exit(1); } Version-Release number of selected component (if applicable): utempter-0.5.4-1 How reproducible: Always Steps to Reproduce: Problem was found in code review. Additional info: There are programs that trust the data in the utmp file to be validated. The utempter program is potentially accepting tty devices from outside the /dev directory. This is an extremely simple no brainer to fix. Please make the above patch before releasing fedora core 2 final.
Thanks for reporting Steve. We have released erratum for Fedora Core 1 for this issue, and erratum is in QA testing for all other OS releases. Updated package also in Fedora devel. utempter-0.5.5