Bug 2215945 (CVE-2023-4641)

Summary: CVE-2023-4641 shadow-utils: possible password leak during passwd(1) change
Product: [Other] Security Response Reporter: ybuenos
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: ipedrosa, pbrezina
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: shadow-utils 4.14.0 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in shadow-utils. When asking for a new password, shadow-utils asks the password twice. If the password fails on the second attempt, shadow-utils fails in cleaning the buffer used to store the first entry. This may allow an attacker with enough access to retrieve the password from the memory.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2215947, 2215948, 2215949, 2215950    
Bug Blocks: 2215939    

Description ybuenos 2023-06-19 13:03:56 UTC 
When gpasswd(1) asks for the new password, it asks twice (as is usual for confirming the new password).  Each of those 2 password prompts uses agetpass() to get the password.  If the second agetpass() fails, the first password, which has been copied into the 'static' buffer 'pass' via STRFCPY(), wasn't being zeroed.
Comment 3 Marco Benatto 2023-08-30 17:21:47 UTC 
Upstream commmit for this issue:
https://github.com/shadow-maint/shadow/commit/65c88a43a23c2391dcc90c0abda3e839e9c57904
Comment 4 errata-xmlrpc 2023-11-07 08:22:15 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:6632 https://access.redhat.com/errata/RHSA-2023:6632
Comment 5 errata-xmlrpc 2023-11-14 15:22:00 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:7112 https://access.redhat.com/errata/RHSA-2023:7112
Comment 7 errata-xmlrpc 2024-01-24 16:47:31 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2024:0417 https://access.redhat.com/errata/RHSA-2024:0417
Comment 10 errata-xmlrpc 2024-04-30 14:58:22 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2024:2577 https://access.redhat.com/errata/RHSA-2024:2577