2215945 – (CVE-2023-4641) CVE-2023-4641 shadow-utils: possible password leak during passwd(1) change

Bug 2215945 (CVE-2023-4641) - CVE-2023-4641 shadow-utils: possible password leak during passwd(1) change

Summary: CVE-2023-4641 shadow-utils: possible password leak during passwd(1) change

Keywords:
Status:	NEW
Alias:	CVE-2023-4641
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Nobody
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2215947 2215948 2215949 2215950
Blocks:	2215939
TreeView+	depends on / blocked

Reported:	2023-06-19 13:03 UTC by ybuenos
Modified:	2024-04-30 14:58 UTC (History)
CC List:	2 users (show)
Fixed In Version:	shadow-utils 4.14.0
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in shadow-utils. When asking for a new password, shadow-utils asks the password twice. If the password fails on the second attempt, shadow-utils fails in cleaning the buffer used to store the first entry. This may allow an attacker with enough access to retrieve the password from the memory.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2023:6632	None	None	None	2023-11-07 08:22:16 UTC
Red Hat Product Errata	RHSA-2023:7112	None	None	None	2023-11-14 15:22:01 UTC
Red Hat Product Errata	RHSA-2024:0417	None	None	None	2024-01-24 16:47:32 UTC
Red Hat Product Errata	RHSA-2024:2577	None	None	None	2024-04-30 14:58:23 UTC

Description ybuenos 2023-06-19 13:03:56 UTC

When gpasswd(1) asks for the new password, it asks twice (as is usual for confirming the new password).  Each of those 2 password prompts uses agetpass() to get the password.  If the second agetpass() fails, the first password, which has been copied into the 'static' buffer 'pass' via STRFCPY(), wasn't being zeroed.

Comment 3 Marco Benatto 2023-08-30 17:21:47 UTC

Upstream commmit for this issue:
https://github.com/shadow-maint/shadow/commit/65c88a43a23c2391dcc90c0abda3e839e9c57904

Comment 4 errata-xmlrpc 2023-11-07 08:22:15 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:6632 https://access.redhat.com/errata/RHSA-2023:6632

Comment 5 errata-xmlrpc 2023-11-14 15:22:00 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:7112 https://access.redhat.com/errata/RHSA-2023:7112

Comment 7 errata-xmlrpc 2024-01-24 16:47:31 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2024:0417 https://access.redhat.com/errata/RHSA-2024:0417

Comment 10 errata-xmlrpc 2024-04-30 14:58:22 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2024:2577 https://access.redhat.com/errata/RHSA-2024:2577

Note You need to log in before you can comment on or make changes to this bug.