Bug 147634 - CAN-2004-1001 Unauthorized account properties modification (chfn and chsh)
CAN-2004-1001 Unauthorized account properties modification (chfn and chsh)
Status: CLOSED NOTABUG
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: shadow-utils (Show other bugs)
3.0
All Linux
medium Severity medium
: ---
: ---
Assigned To: Eido Inoue
David Lawrence
http://cvs.pld.org.pl/shadow/NEWS?rev...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-02-09 18:04 EST by Marcin Garski
Modified: 2007-11-30 17:07 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-02-11 06:38:12 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Marcin Garski 2005-02-09 18:04:17 EST
shadow-4.0.5 has fixed securirty bug in libmisc/pwdcheck.c which allow
unauthorized account properties modification. Affected tools: chfn and
chsh. As I see patch can be easily backported.
Comment 1 Marcin Garski 2005-02-09 18:05:34 EST
I don't have access to RHEL but probably RHEL could use afected version.
Comment 2 Mark J. Cox (Product Security) 2005-02-11 06:38:12 EST
Note that the scope of this issue is for a user, who is logged in but
has an expired password to alter his account information with chfn or
chsh without having to change the password.

RHEL uses chfn/chsh from util-linux and not from shadow-utils and is
unaffected by this issue

Note You need to log in before you can comment on or make changes to this bug.