| Summary: | sys-apps/shadow Unchecked set*uid() calls (Vendor-Sec) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Sune Kloppenborg Jeppesen (RETIRED) <jaervosz> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED INVALID | ||
| Severity: | normal | ||
| Priority: | High | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | CONFIDENTIAL no release date set | ||
| Package list: | Runtime testing required: | --- | |
Vapier please advise. the code in question was removed in shadow-4.0.14 ChangeLog: 2005-10-12 Tomasz K the code in question was removed in shadow-4.0.14 ChangeLog: 2005-10-12 Tomasz K³oczko <kloczek@pld.org.pl> * src/passwd.c, NEWS, man/passwd.1, man/passwd.1.xml: remove handle -f, -g and -s options in passwd. NEWS: shadow-4.0.13 -> shadow-4.0.14 03-01-2006 *** general: - passwd: remove handle -f, -g and -s options. *** Bug 144868 has been marked as a duplicate of this bug. *** |
Hey, So I just looked at 4.0.3 (I have no idea if that is the latest version, I got it from the slackware site, for slack 10.2) and here is the vulnerable code: if (argc > 1 && argv[1][0] == '-' && strchr ("gfs", argv[1][1])) { char buf[200]; setuid (getuid ()); switch (argv[1][1]) { case 'g': argv[1] = GPASSWD_PROGRAM; /* XXX warning: const */ break; case 'f': argv[1] = CHFN_PROGRAM; /* XXX warning: const */ break; case 's': argv[1] = CHSH_PROGRAM; /* XXX warning: const */ break; default: usage (E_BAD_ARG); } snprintf (buf, sizeof buf, _("%s: Cannot execute %s"), Prog, argv[1]); execvp (argv[1], &argv[1]); perror (buf); SYSLOG ((LOG_ERR, "cannot execute %s", argv[1])); closelog (); exit (E_FAILURE); } it is located inside main() ! Regards, Ilja van Sprundel.