Bug 1358622 – REJECTED CVE-2016-6251 shadow-utils: Potentially unsafe use of getlogin

Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.

Bug 1358622 - (CVE-2016-6251) REJECTED CVE-2016-6251 shadow-utils: Potentially unsafe use of getlogin

Summary:	REJECTED CVE-2016-6251 shadow-utils: Potentially unsafe use of getlogin

Status:	CLOSED NOTABUG

Aliases:	CVE-2016-6251

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	low Severity low
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=low,public=20160719,reported=2...
Keywords:	Security

Depends On:	1358629
Blocks:	1358628
	Show dependency tree / graph

Reported:	2016-07-21 03:42 EDT by Andrej Nemec
Modified:	2017-02-17 10:11 EST (History)
CC List:	3 users (show)

See Also:
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2016-07-21 05:01:30 EDT
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Andrej Nemec 2016-07-21 03:42:57 EDT

A vulnerability was found in shadow-utils. Function getlogin() relies on utmp, which is not a trusted base of information.

References:

http://seclists.org/oss-sec/2016/q3/111

CVE assignment:

http://seclists.org/oss-sec/2016/q3/115

Comment 1 Andrej Nemec 2016-07-21 04:00:42 EDT

Created shadow-utils tracking bugs for this issue:

Affects: fedora-all [bug 1358629]

Comment 2 Tomas Mraz 2016-07-21 04:40:49 EDT

No, the use of getlogin in shadow-utils is safe (it is used only to diferentiate the user if there are multiple users with the same uid -> same privileges anyway).
See this post which I agree with:
http://seclists.org/oss-sec/2016/q3/120

Comment 3 Andrej Nemec 2016-07-21 05:01:30 EDT

(In reply to Tomas Mraz from comment #2)
> No, the use of getlogin in shadow-utils is safe (it is used only to
> diferentiate the user if there are multiple users with the same uid -> same
> privileges anyway).
> See this post which I agree with:
> http://seclists.org/oss-sec/2016/q3/120

I agree too, closing this as notabug. Thanks for confirmation!

Comment 4 Andrej Nemec 2016-07-25 08:36:15 EDT

Upstream bug:

https://github.com/shadow-maint/shadow/issues/28

Note You need to log in before you can comment on or make changes to this bug.