https://nvd.nist.gov/vuln/detail/CVE-2023-29383 https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/cve-2023-29383-abusing-linux-chfn-to-misrepresent-etc-passwd/ Reproducible: Always
https://github.com/gentoo/gentoo/pull/30644
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f00fc3d1955bec0b229a0a4e5affc3080f4554fd commit f00fc3d1955bec0b229a0a4e5affc3080f4554fd Author: Michael Vetter <jubalh@iodoru.org> AuthorDate: 2023-04-18 16:01:40 +0000 Commit: Mike Gilbert <floppym@gentoo.org> CommitDate: 2023-04-18 16:33:34 +0000 sys-apps/shadow: fix CVE-2023-29383 See: https://nvd.nist.gov/vuln/detail/CVE-2023-29383 Bug: https://bugs.gentoo.org/904518 Signed-off-by: Michael Vetter <jubalh@iodoru.org> Closes: https://github.com/gentoo/gentoo/pull/30644 Signed-off-by: Mike Gilbert <floppym@gentoo.org> .../shadow/files/shadow-4.13-CVE-2023-29383.patch | 100 ++++++++ sys-apps/shadow/shadow-4.13-r3.ebuild | 264 +++++++++++++++++++++ 2 files changed, 364 insertions(+)
Thanks! Please cleanup
Cleanup done.
I'm faily certain this bug can be closed. It was fixed in https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f00fc3d1955b and the ebuild for sys-apps/shadow-4.13-r3 was removed in https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=46c3163eef63
Security bugs have a process beyond that where we decide to GLSA or not.
Understood. I'll avoid suggesting closing security bugs going forward unless it hasn't be closed after a glsa has been made. :)
