Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 355207 (CVE-2011-0721)

Summary: <sys-apps/shadow-4.1.4.3: privilege escalation / DoS in NIS environments (CVE-2011-0721)
Product: Gentoo Security Reporter: Paweł Hajdan, Jr. (RETIRED) <phajdan.jr>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: critical    
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: A1 [glsa]
Package list:
Runtime testing required: ---

Description Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-02-16 16:53:57 UTC 
Kees Cook discovered that some shadow utilities did not correctly validate
user input. A local attacker could exploit this flaw to inject newlines into
the /etc/passwd file. If the system was configured to use NIS, this could
lead to existing NIS groups or users gaining or losing access to the system,
resulting in a denial of service or unauthorized access.

- CVE-2011-0721: An insufficient input sanitation in chfn can be exploited
  to create users or groups in a NIS environment.

ftp://pkg-shadow.alioth.debian.org/pub/pkg-shadow/shadow-4.1.4.3.NEWS
Comment 1 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-02-16 17:22:54 UTC 
I'm not sure about the severity, but it looks like a newline injection. It might be possible to inject a line with UID=0. Unfortunately there is not much info about this vulnerability. Debian rates it as minor.
Comment 2 SpanKY gentoo-dev 2011-02-17 05:33:29 UTC 
seems the .3 release is the .2 release plus this one fix (and a lot of regenerated files).  so it should be fairly safe to stabilize quickly.
Comment 3 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-02-17 15:37:47 UTC 
Thank you. Arches, please stabilize =sys-apps/shadow-4.1.4.3
Comment 4 Agostino Sarubbo gentoo-dev 2011-02-17 17:01:22 UTC 
works on amd64!
Comment 5 Markos Chandras (RETIRED) gentoo-dev 2011-02-17 19:52:29 UTC 
amd64 done. Thanks Agostino
Comment 6 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2011-02-17 20:16:47 UTC 
ppc/ppc64 stable
Comment 7 Alex Buell 2011-02-18 11:47:30 UTC 
Tested on SPARC, seems to work OK. Could stabilse.
Comment 8 Jeroen Roovers (RETIRED) gentoo-dev 2011-02-18 13:03:14 UTC 
Stable for HPPA.
Comment 9 Markus Meier gentoo-dev 2011-02-19 19:20:16 UTC 
arm stable
Comment 10 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-02-20 12:04:08 UTC 
x86 stable
Comment 11 Raúl Porcel (RETIRED) gentoo-dev 2011-02-26 16:51:37 UTC 
alpha/ia64/m68k/s390/sh/sparc stable
Comment 12 Tim Sammut (RETIRED) gentoo-dev 2011-02-26 19:43:48 UTC 
Thanks, folks. GLSA request filed.
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2011-06-24 20:01:36 UTC 
CVE-2011-0721 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0721):
  Multiple CRLF injection vulnerabilities in (1) chfn and (2) chsh in shadow
  1:4.1.4 allow local users to add new users or groups to /etc/passwd via the
  GECOS field.
Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2014-12-12 00:36:49 UTC 
This issue was resolved and addressed in
 GLSA 201412-09 at http://security.gentoo.org/glsa/glsa-201412-09.xml
by GLSA coordinator Sean Amoss (ackle).