Source: libuser Version: 1:0.56.9.dfsg.1-1.2 Severity: grave Tags: security upstream patch
During a code audit by Qualys, multiple libuser-related vulnerabilities were discovered that can allow local users to perform denial-of-service and privilege-escalation attacks: - Race condition in password file update (CVE-2015-3246, Important) A flaw was found in the way the libuser library handled the /etc/passwd file. Even though traditional programs like passwd, chfn, and chsh work on a temporary copy of /etc/passwd and eventually use the rename() function to rename the temporary copy, libuser modified /etc/passwd directly. Unfortunately, if anything went wrong during these modifications, libuser may have left/etc/passwd in an inconsistent state. This behavior could result in a local denial-of-service attack; in addition, when combined with a second vulnerability (CVE-2015-3245, described below), it could result in the escalation of privileges to the root user. - Lack of validation of GECOS field contents (CVE-2015-3245, Moderate) It was found that the chfn function of the userhelper utility did not properly filter out newline characters. The chfn function implemented by the userhelper utility verified that the fields it was given on the command line were valid (that is, contain no forbidden characters). Unfortunately, these forbidden characters (:,=) did not include the \n character and allowed local attackers to inject newline characters into the /etc/passwd file and alter this file in unexpected ways. A local attacker could use this flaw to corrupt the /etc/passwd file, which could result in a denial-of-service attack on the system. Both issues have been fixed upstream, and shipped in relase 0.62. Please mention the CVE numbers in the changelog when fixing the issue. References: * RedHat security bulletin https://access.redhat.com/articles/1537873 * PoC http://www.openwall.com/lists/oss-security/2015/07/23/16 * libuser 0.62 changelog https://fedorahosted.org/libuser/browser/NEWS?rev=libuser-0.62 * Fixing commit https://fedorahosted.org/libuser/changeset/d73aa2a5a9ce5bdd349dff46e3e4885f2b194a95/ Cheers, Luca -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
