Bug 152837 - CAN-2004-1001 Shadow "passwd_check()" Security Bypass Vulnerability
CAN-2004-1001 Shadow "passwd_check()" Security Bypass Vulnerability
Status: CLOSED NOTABUG
Product: Fedora Legacy
Classification: Retired
Component: Package request (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Fedora Legacy Bugs
http://secunia.com/advisories/13028/
1, LEGACY, rh73, rh90
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-11-08 16:30 EST by David Lawrence
Modified: 2008-05-01 11:38 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description David Lawrence 2005-03-30 18:29:11 EST
A new vulnerability has been reported in the passwd_check function in Shadow
4.0.4.1., possibly other versions before 4.0.5.

The vulnerability can be exploited by malicious, local users to bypass certain
security restrictions.

The vulnerability is caused due to an input validation error in the function
"passwd_check()" in "libmisc/pwdcheck.c", which is used by the "chfn" and "chsh"
utilities.

Successful exploitation allows unauthorised modification of account properties.

CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1001



------- Additional Comments From pekkas@netcore.fi 2004-12-20 03:12:19 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
                                                                               
                                       
I've created src.rpm's for all of RH73, RH9 and FC1, and binaries for RH73
and RH9.
                                                                               
                                       
The same patch applies to all of them, and has been extracted from Debian's
patch (http://www.debian.org/security/2004/dsa-585).
                                                                               
                                       
RHL73:
http://www.netcore.fi/pekkas/linux/shadow-utils-20000902-9.7.1.legacy.src.rpm
http://www.netcore.fi/pekkas/linux/shadow-utils-20000902-9.7.1.legacy.i386.rpm
RHL9:
http://www.netcore.fi/pekkas/linux/shadow-utils-4.0.3-6.1.legacy.src.rpm
http://www.netcore.fi/pekkas/linux/shadow-utils-4.0.3-6.1.legacy.i386.rpm
FC1:
http://www.netcore.fi/pekkas/linux/shadow-utils-4.0.3-12.1.legacy.src.rpm
                                                                               
                                       
Changelog: (similar to):
* Mon Dec 20 2004 Pekka Savola <pekkas@netcore.fi> 2:4.0.3-6.1.legacy
- - added patch to CAN-2004-1001 from Debian. (#2253)
                                                                               
                                       
SHA1sum:
15e89ef38458bfc63315bea935987a37ef9f5129 
shadow-utils-20000902-9.7.1.legacy.i386.rpm
dbe7e5b1282ac426b2e25ef5a070e24a87cab94e  shadow-utils-20000902-9.7.1.legacy.src.rpm
218e931fd8d8d25605fcdc986798c287ed8e8d8f  shadow-utils-4.0.3-12.1.legacy.src.rpm
090ad729948b061b4c8a89ee54cbdc614eff6ac0  shadow-utils-4.0.3-6.1.legacy.i386.rpm
06b7fefd57cca36b2806eebc2a49537c97edf1bb  shadow-utils-4.0.3-6.1.legacy.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
                                                                               
                                       
iD8DBQFBxs+RGHbTkzxSL7QRArITAKCIff6Yn9Xm/d7KcPaYhavI+wklmACgmmI4
iINpgE9S9I0pF+Vu3ds7kMY=
=srvS
-----END PGP SIGNATURE-----




------- Additional Comments From rob.myers@gtri.gatech.edu 2004-12-20 10:25:40 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
i did QA on pekka's shadow packages:
 
short version: verything looks great, but there is a missing gettext
BuildRequire for mach.
 
fc1:
 
sha1sum ok - 218e931fd8d8d25605fcdc986798c287ed8e8d8f 
shadow-utils-4.0.3-12.1.legacy.src.rpm
release number ok - greater than current fc1 shadow-utils less than current fc2
shadow-utils
source files ok - verified against shadow-utils-4.0.3-12
patch ok - verified (without braces) against upstream cvs:
http://cvs.pld.org.pl/shadow/libmisc/pwdcheck.c?r1=text&tr1=1.2&r2=text&tr2=1.4&f=u
spec file ok
must add BuildRequire: gettext to build in mach
cra's rpm-build-compare script looks good
installs ok
runs ok
+PUBLISH
  
rh9:
 
sha1sum ok - 06b7fefd57cca36b2806eebc2a49537c97edf1bb 
shadow-utils-4.0.3-6.1.legacy.src.rpm
release number ok - greater than current rh9 shadow-utils less than current fc1
shadow-utils
source files ok - verified against shadow-utils-4.0.3-6
patch ok - verified (without braces) against upstream cvs:
http://cvs.pld.org.pl/shadow/libmisc/pwdcheck.c?r1=text&tr1=1.2&r2=text&tr2=1.4&f=u
spec file ok
must add BuildRequire: gettext to build in mach
cra's rpm-build-compare script looks good
+PUBLISH
 
rh73:
 
sha1sum ok - dbe7e5b1282ac426b2e25ef5a070e24a87cab94e 
shadow-utils-20000902-9.7.1.legacy.src.rpm
source files ok - verified against shadow-utils-20000902-9.7
patch ok - verified (without braces) against upstream cvs:
http://cvs.pld.org.pl/shadow/libmisc/pwdcheck.c?r1=text&tr1=1.2&r2=text&tr2=1.4&f=u
spec file ok
must add BuildRequire: gettext to build in mach
cra's rpm-build-compare script looks good, my mach rebuilt package adds requires
ld-linux.so.2?
+PUBLISH
 
this file is available from:
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/2253-qa.txt.asc
 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
 
iD8DBQFBxzTNtU2XAt1OWnsRAuFpAKDZx4dl1ZQDRu2HJ4eeambJJiVrlQCeLc6L
WdtecEqhkl4sNII9/N6lcxs=
=5N8u
-----END PGP SIGNATURE-----




------- Additional Comments From marcdeslauriers@videotron.ca 2005-03-04 12:30:00 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I did QA on the packages in comment #1:

dbe7e5b1282ac426b2e25ef5a070e24a87cab94e  shadow-utils-20000902-9.7.1.legacy.src.rpm
218e931fd8d8d25605fcdc986798c287ed8e8d8f  shadow-utils-4.0.3-12.1.legacy.src.rpm
06b7fefd57cca36b2806eebc2a49537c97edf1bb  shadow-utils-4.0.3-6.1.legacy.src.rpm

- - Source files match previous release
- - Patch file matches upstream CVS
- - Spec file changes are good

+PUBLISH

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFCKOFcLMAs/0C4zNoRAnRwAJ0U0GMQOQBGX/0o3/2ChBFqY1bF1wCcDrs1
fT0hGk3l2civRe8KuIsDOMM=
=sX5b
-----END PGP SIGNATURE-----




------- Additional Comments From marcdeslauriers@videotron.ca 2005-03-05 06:06:12 ----

These are ready to be built



------- Additional Comments From marcdeslauriers@videotron.ca 2005-03-05 08:50:10 ----

packages were pushed to updates-testing



------- Additional Comments From madhatter@teaparty.net 2005-03-05 11:59:01 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

eb87986f5946d96029a5e1f949c033910d1535f3 shadow-utils-4.0.3-6.2.legacy.i386.rpm

installed on rh9.  the original description suggests the problem is in chfn
and chsh, but those are provided by util-linux, not shadow-utils.  testing
shadow-utils: usermod can change the GECOS field in /etc/passwd, useradd
and userdel work fine.  hope that's an OK test.

+VERIFY RH9

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFCKiuVePtvKV31zw4RAoEuAJ4/YMIrGaLdNM5g+Dh4jTmKbQClNACfYljn
VqcsO2pqtx/2UrE/qpoh7ok=
=J/wS
-----END PGP SIGNATURE-----




------- Additional Comments From marcdeslauriers@videotron.ca 2005-03-05 13:32:54 ----

In response to comment #6:

You're right...chfn and chsh don't come from shadow-utils. The file we've
patched, pwdcheck.c is only used by chfn.c and chsh.c which aren't even shipped
in the rpm as they're deleted in the spec file.

Looks like the packages are completely unnecessary.

I'm closing this bug and removing them from updates-testing.



------- Bug moved to this database by dkl@redhat.com 2005-03-30 18:29 -------

This bug previously known as bug 2253 at https://bugzilla.fedora.us/
https://bugzilla.fedora.us/show_bug.cgi?id=2253
Originally filed under the Fedora Legacy product and Package request component.

Unknown priority P2. Setting to default priority "normal".
Unknown platform PC. Setting to default platform "All".
The original reporter of this bug does not have
   an account here. Reassigning to the person who moved
   it here, dkl@redhat.com.
   Previous reporter was fedora-legacy-bugzilla-2004@fumika.jp.
Setting qa contact to the default for this product.
   This bug either had no qa contact or an invalid one.


Note You need to log in before you can comment on or make changes to this bug.