Bug 1233052 – CVE-2015-3246 libuser: Security flaw in handling /etc/passwd file

Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.

Bug 1233052 - (CVE-2015-3246) CVE-2015-3246 libuser: Security flaw in handling /etc/passwd file

Summary:	CVE-2015-3246 libuser: Security flaw in handling /etc/passwd file

Status:	CLOSED ERRATA

Aliases:	CVE-2015-3246

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	high Severity high
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=important,public=20150723,repo...
Keywords:	Security

Depends On:	1235517 1235518 1235519 1235520 1246225
Blocks:	1233055 1238777
	Show dependency tree / graph

Reported:	2015-06-18 03:03 EDT by Huzaifa S. Sidhpurwala
Modified:	2016-01-20 16:12 EST (History)
CC List:	10 users (show)

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	A flaw was found in the way the libuser library handled the /etc/passwd file. A local attacker could use an application compiled against libuser (for example, userhelper) to manipulate the /etc/passwd file, which could result in a denial of service or possibly allow the attacker to escalate their privileges to root.
Story Points:	---
Clone Of:
Environment:
Last Closed:	2015-07-29 03:17:50 EDT
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2015:1482	normal	SHIPPED_LIVE	Important: libuser security update	2015-07-23 17:59:57 EDT
Red Hat Product Errata	RHSA-2015:1483	normal	SHIPPED_LIVE	Important: libuser security update	2015-07-23 20:44:52 EDT

Groups: None (edit)

Description Huzaifa S. Sidhpurwala 2015-06-18 03:03:50 EDT

A flaw was found in the way libuser handled /etc/passwd file. Even though traditional programs like passwd, chfn, and chsh work on a temporary copy of /etc/passwd and eventually rename() it, libuser modifies /etc/passwd directly. Unfortunately, if anything goes wrong during these modifications, libuser may leave /etc/passwd in an inconsistent state.

This can cause a local denial-of-service. Also when combined with CVE-2015-3245, it could result in privilege escalation to root user. 


Acknowledgements:

Red Hat would like to thank Qualys for reporting this issue.

Comment 39 Martin Prpič 2015-07-23 08:57:13 EDT

External References:

https://access.redhat.com/articles/1537873

Comment 41 errata-xmlrpc 2015-07-23 14:01:50 EDT

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2015:1482 https://rhn.redhat.com/errata/RHSA-2015-1482.html

Comment 42 Florian Weimer 2015-07-23 14:12:11 EDT

Created libuser tracking bugs for this issue:

Affects: fedora-all [bug 1246225]

Comment 43 errata-xmlrpc 2015-07-23 16:45:35 EDT

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2015:1483 https://rhn.redhat.com/errata/RHSA-2015-1483.html

Comment 46 Florian Weimer 2015-07-24 06:30:58 EDT

Statement:

This issue affects the versions of libuser as shipped with Red Hat Enterprise Linux 5. Red Hat Enterprise Linux 5 is now in Production 3 Phase of the support and maintenance life cycle. This vulnerability has been rated as having Important security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.

Comment 49 Fedora Update System 2015-07-30 09:55:14 EDT

libuser-0.62-1.fc22 has been pushed to the Fedora 22 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 50 Fedora Update System 2015-08-03 00:30:53 EDT

libuser-0.62-1.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 51 Vincent Danen 2015-11-02 14:12:48 EST

Mitigation:

Add pam_warn and pam_deny rules to /etc/pam.d/chfn and /etc/pam.d/chsh to prevent non-root users from using this functionality.  With these edits, the files should contain:

auth       sufficient   pam_rootok.so
auth required pam_warn.so
auth required pam_deny.so
auth       include      system-auth
account    include      system-auth
password   include      system-auth
session    include      system-auth

After these changes, attempts by unprivileged users to use chfn and chsh (and the respective functionality in the userhelper program) will fail, and will be logged (by default in /var/log/secure).

Note You need to log in before you can comment on or make changes to this bug.