Local users can obtain root access because setuid programs are misconfigured. This affects shadow 4.8 when compiled using --with-libpam but without explicitly passing --disable-account-tools-setuid, and without a PAM configuration suitable for use with setuid account management tools. Upstream Issue: https://github.com/shadow-maint/shadow/commit/edf7547ad5aa650be868cf2dac58944773c12d75
We do not compile shadow-utils with --with-libpam option.
Statement: This issue only affects the shadow-utils package when compiled with the "with-libpam" option. The shadow-utils package, as shipped by Red Hat, is not compiled with that option and is therefore not affected by this flaw.