[原文]poppassd_pam 1.0 and earlier, when changing a user password, does not verify that the user entered the old password correctly, which allows remote attackers to change passwords for arbitrary users.
poppassd_pam is reported prone to a vulnerability that may allow remote unauthorized users to change passwords. This issue can potentially allow an attacker to gain superuser privileges on a vulnerable computer.
Reportedly, the application does not check the validity of old passwords before changing a password.
poppassd_pam 1.0 is affected by this vulnerability.
An exploit is not required.
Gentoo has released an advisory (GLSA 200501-22) to address this issue, encouraging users to migrate to poppassd_ceti 1.8.4. Gentoo users may carry out the following commands to update their computers: