A vulnerability was found in shadow-utils. Function getlogin() relies on utmp, which is not a trusted base of information. References: http://seclists.org/oss-sec/2016/q3/111 CVE assignment: http://seclists.org/oss-sec/2016/q3/115
Created shadow-utils tracking bugs for this issue: Affects: fedora-all [bug 1358629]
No, the use of getlogin in shadow-utils is safe (it is used only to diferentiate the user if there are multiple users with the same uid -> same privileges anyway). See this post which I agree with: http://seclists.org/oss-sec/2016/q3/120
(In reply to Tomas Mraz from comment #2) > No, the use of getlogin in shadow-utils is safe (it is used only to > diferentiate the user if there are multiple users with the same uid -> same > privileges anyway). > See this post which I agree with: > http://seclists.org/oss-sec/2016/q3/120 I agree too, closing this as notabug. Thanks for confirmation!
Upstream bug: https://github.com/shadow-maint/shadow/issues/28