Bug 2215945 (CVE-2023-4641) - CVE-2023-4641 shadow-utils: possible password leak during passwd(1) change
Summary: CVE-2023-4641 shadow-utils: possible password leak during passwd(1) change
Keywords:
Status: NEW
Alias: CVE-2023-4641
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 2215947 2215948 2215949 2215950
Blocks: 2215939
TreeView+ depends on / blocked
 
Reported: 2023-06-19 13:03 UTC by ybuenos
Modified: 2024-03-27 05:13 UTC (History)
2 users (show)

Fixed In Version: shadow-utils 4.14.0
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in shadow-utils. When asking for a new password, shadow-utils asks the password twice. If the password fails on the second attempt, shadow-utils fails in cleaning the buffer used to store the first entry. This may allow an attacker with enough access to retrieve the password from the memory.
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2023:6632 0 None None None 2023-11-07 08:22:16 UTC
Red Hat Product Errata RHSA-2023:7112 0 None None None 2023-11-14 15:22:01 UTC
Red Hat Product Errata RHSA-2024:0417 0 None None None 2024-01-24 16:47:32 UTC

Description ybuenos 2023-06-19 13:03:56 UTC
When gpasswd(1) asks for the new password, it asks twice (as is usual for confirming the new password).  Each of those 2 password prompts uses agetpass() to get the password.  If the second agetpass() fails, the first password, which has been copied into the 'static' buffer 'pass' via STRFCPY(), wasn't being zeroed.

Comment 3 Marco Benatto 2023-08-30 17:21:47 UTC
Upstream commmit for this issue:
https://github.com/shadow-maint/shadow/commit/65c88a43a23c2391dcc90c0abda3e839e9c57904

Comment 4 errata-xmlrpc 2023-11-07 08:22:15 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:6632 https://access.redhat.com/errata/RHSA-2023:6632

Comment 5 errata-xmlrpc 2023-11-14 15:22:00 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:7112 https://access.redhat.com/errata/RHSA-2023:7112

Comment 7 errata-xmlrpc 2024-01-24 16:47:31 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2024:0417 https://access.redhat.com/errata/RHSA-2024:0417


Note You need to log in before you can comment on or make changes to this bug.