147634 – CAN-2004-1001 Unauthorized account properties modification (chfn and chsh)

Bug 147634 - CAN-2004-1001 Unauthorized account properties modification (chfn and chsh)

Summary: CAN-2004-1001 Unauthorized account properties modification (chfn and chsh)

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Red Hat Enterprise Linux 3
Classification:	Red Hat
Component:	shadow-utils
Sub Component:
Version:	3.0
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Eido Inoue
QA Contact:	David Lawrence
Docs Contact:
URL:	http://cvs.pld.org.pl/shadow/NEWS?rev...
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2005-02-09 23:04 UTC by Marcin Garski
Modified:	2007-11-30 22:07 UTC (History)
CC List:	0 users
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2005-02-11 11:38:12 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Marcin Garski 2005-02-09 23:04:17 UTC

shadow-4.0.5 has fixed securirty bug in libmisc/pwdcheck.c which allow
unauthorized account properties modification. Affected tools: chfn and
chsh. As I see patch can be easily backported.

Comment 1 Marcin Garski 2005-02-09 23:05:34 UTC

I don't have access to RHEL but probably RHEL could use afected version.

Comment 2 Mark J. Cox 2005-02-11 11:38:12 UTC

Note that the scope of this issue is for a user, who is logged in but
has an expired password to alter his account information with chfn or
chsh without having to change the password.

RHEL uses chfn/chsh from util-linux and not from shadow-utils and is
unaffected by this issue

Note You need to log in before you can comment on or make changes to this bug.