VYPR
← All advisories
Unrated severityNVD Advisory· Published Apr 2, 2003· Updated Apr 16, 2026

CVE-2002-1506

CVE-2002-1506

Description

Linuxconf before 1.28r4 has a local buffer overflow vulnerability via the LINUXCONF_LANG environment variable, allowing arbitrary code execution.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Linuxconf before 1.28r4 has a local buffer overflow vulnerability via the LINUXCONF_LANG environment variable, allowing arbitrary code execution.

Vulnerability

A buffer overflow vulnerability exists in Linuxconf versions prior to 1.28r4. The vulnerability is caused by insufficient bounds checking on the LINUXCONF_LANG environment variable. When this variable is set with an overly long string, it can trigger a buffer overflow condition within an error string generation process.

Exploitation

An attacker with local access needs to set the LINUXCONF_LANG environment variable to a string exceeding the expected buffer size. This can be achieved by creating a directory and file with specific names derived from shellcode, and then executing the vulnerable linuxconf utility. The exploit requires write permissions in the directory where linuxconf is executed [1].

Impact

Successful exploitation of this vulnerability allows a local attacker to execute arbitrary code with the privileges of the linuxconf utility, which is typically run as root. This could lead to a full system compromise [1].

Mitigation

Linuxconf version 1.28r4 and later have addressed this vulnerability. Users are advised to upgrade to a fixed version. Information regarding specific patch release dates or workarounds for older versions is not available in the provided references [1].

References
  1. Linuxconf 1.1.x/1.2.x - Local Environment Variable Buffer Overflow (1)

AI Insight generated on Jun 2, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

33
  • Jacques Gelinas/Linuxconf33 versions
    cpe:2.3:a:jacques_gelinas:linuxconf:1.1.6r10:*:*:*:*:*:*:*+ 32 more
    • cpe:2.3:a:jacques_gelinas:linuxconf:1.1.6r10:*:*:*:*:*:*:*
    • cpe:2.3:a:jacques_gelinas:linuxconf:1.1.7:*:*:*:*:*:*:*
    • cpe:2.3:a:jacques_gelinas:linuxconf:1.1.8:*:*:*:*:*:*:*
    • cpe:2.3:a:jacques_gelinas:linuxconf:1.1.9r1:*:*:*:*:*:*:*
    • cpe:2.3:a:jacques_gelinas:linuxconf:1.1.9r2:*:*:*:*:*:*:*
    • cpe:2.3:a:jacques_gelinas:linuxconf:1.2:*:*:*:*:*:*:*
    • cpe:2.3:a:jacques_gelinas:linuxconf:1.2.1:*:*:*:*:*:*:*
    • cpe:2.3:a:jacques_gelinas:linuxconf:1.2.1r1:*:*:*:*:*:*:*
    • cpe:2.3:a:jacques_gelinas:linuxconf:1.2.1r2:*:*:*:*:*:*:*
    • cpe:2.3:a:jacques_gelinas:linuxconf:1.2.1r3:*:*:*:*:*:*:*
    • cpe:2.3:a:jacques_gelinas:linuxconf:1.2.1r4:*:*:*:*:*:*:*
    • cpe:2.3:a:jacques_gelinas:linuxconf:1.2.1r5:*:*:*:*:*:*:*
    • cpe:2.3:a:jacques_gelinas:linuxconf:1.2.1r6:*:*:*:*:*:*:*
    • cpe:2.3:a:jacques_gelinas:linuxconf:1.2.1r7:*:*:*:*:*:*:*
    • cpe:2.3:a:jacques_gelinas:linuxconf:1.2.1r8:*:*:*:*:*:*:*
    • cpe:2.3:a:jacques_gelinas:linuxconf:1.2.2:*:*:*:*:*:*:*
    • cpe:2.3:a:jacques_gelinas:linuxconf:1.2.3:*:*:*:*:*:*:*
    • cpe:2.3:a:jacques_gelinas:linuxconf:1.2.3r1:*:*:*:*:*:*:*
    • cpe:2.3:a:jacques_gelinas:linuxconf:1.2.3r2:*:*:*:*:*:*:*
    • cpe:2.3:a:jacques_gelinas:linuxconf:1.2.4:*:*:*:*:*:*:*
    • cpe:2.3:a:jacques_gelinas:linuxconf:1.2.4r2:*:*:*:*:*:*:*
    • cpe:2.3:a:jacques_gelinas:linuxconf:1.2.4r4:*:*:*:*:*:*:*
    • cpe:2.3:a:jacques_gelinas:linuxconf:1.2.4r5:*:*:*:*:*:*:*
    • cpe:2.3:a:jacques_gelinas:linuxconf:1.27:*:*:*:*:*:*:*
    • cpe:2.3:a:jacques_gelinas:linuxconf:1.27r3:*:*:*:*:*:*:*
    • cpe:2.3:a:jacques_gelinas:linuxconf:1.27r4:*:*:*:*:*:*:*
    • cpe:2.3:a:jacques_gelinas:linuxconf:1.27r5:*:*:*:*:*:*:*
    • cpe:2.3:a:jacques_gelinas:linuxconf:1.28:*:*:*:*:*:*:*
    • cpe:2.3:a:jacques_gelinas:linuxconf:1.28r1:*:*:*:*:*:*:*
    • cpe:2.3:a:jacques_gelinas:linuxconf:1.28r2:*:*:*:*:*:*:*
    • cpe:2.3:a:jacques_gelinas:linuxconf:1.28r3:*:*:*:*:*:*:*
    • cpe:2.3:a:jacques_gelinas:linuxconf:1.2r1:*:*:*:*:*:*:*
    • cpe:2.3:a:jacques_gelinas:linuxconf:1.2r2:*:*:*:*:*:*:*

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Insufficient bounds checking of the LINUXCONF_LANG environment variable allows a buffer overflow."

Attack vector

A local attacker can exploit this vulnerability by setting the LINUXCONF_LANG environment variable to an overly long string. This string overflows an error string buffer within the linuxconf utility. The overflow can lead to the execution of arbitrary code with the privileges of the linuxconf process, which is typically root [ref_id=1].

Affected code

The vulnerability exists in Linuxconf versions prior to 1.28r4. Specifically, the issue stems from insufficient bounds checking related to the LINUXCONF_LANG environment variable within the linuxconf utility [ref_id=1].

What the fix does

The advisory does not specify a patch or provide details on the fix. However, it indicates that Linuxconf versions before 1.28r4 are affected. Users are advised to upgrade to a patched version to remediate the vulnerability.

Preconditions

  • authThe attacker must have local access to the affected system.
  • inputThe attacker must be able to set the LINUXCONF_LANG environment variable.

Reproduction

The provided reference includes a proof-of-concept exploit script that demonstrates how to trigger the buffer overflow by setting the LINUXCONF_LANG environment variable with a large string and then executing linuxconf. The script also shows how to locate the shellcode in memory and return a shell [ref_id=1].

Generated on Jun 2, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.