In Shadow 4.13, it is possible to inject control characters into fields provided to the SUID program chfn (change finger). Although it is not possible to exploit this directly (e.g., adding a new user fails because \n is in the block list), it is possible to misrepresent the /etc/passwd file when viewed. Use of \r manipulations and Unicode characters to work around blocking of the : character make it possible to give the impression that a new user has been added. In other words, an adversary may be able to convince a system administrator to take the system offline (an indirect, social-engineered denial of service) by demonstrating that "cat /etc/passwd" shows a rogue user account.
Created shadow-utils tracking bugs for this issue:
Affects: fedora-all [bug 2187190]
chfn is provided in Fedora and RHEL by util-linux package, and not by shadow-utils. Thus, should I change the ownership of the bugzillas, or should I close them? It isn't clear to me as I know there is another bugzilla but it is embargoed and I can't see its content.
Created util-linux tracking bugs for this issue:
Affects: fedora-all [bug 2187215]
Did you read the original blog post about this issue?
There is a note about util-linux:
Remember at the start where I said chfn can be found in util-linux and shadow packages? Well strangely enough, the util-linux version blocks control characters via “iscntrl” in ch-common.c. In addition, it adds the “ character into the blacklist, so perhaps there is a story and some research behind that one too?
IMHO, we can close this CVE for RHEL and Fedora.
Ping .. see comment #7.
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):