Summary: | <sys-apps/shadow-4.6: unprivileged user can drop supplementary groups (CVE-2018-7169) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | GLSAMaker/CVETool Bot <glsamaker> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | major | CC: | base-system, leio, pam-bugs+disabled |
Priority: | Normal | Flags: | stable-bot:
sanity-check+
|
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://github.com/shadow-maint/shadow/pull/97 | ||
See Also: | https://github.com/gentoo/gentoo/pull/7203 | ||
Whiteboard: | A2 [glsa+ cve] | ||
Package list: |
sys-apps/shadow-4.6
|
Runtime testing required: | --- |
Description
GLSAMaker/CVETool Bot
![]() The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=78e50f251c0ad49437a4146dc2bdd1552a88fe04 commit 78e50f251c0ad49437a4146dc2bdd1552a88fe04 Author: Michael Vetter <jubalh@iodoru.org> AuthorDate: 2018-02-16 11:22:10 +0000 Commit: Lars Wendler <polynomial-c@gentoo.org> CommitDate: 2018-02-17 12:50:11 +0000 sys-apps/shadow: Fix CVE-2018-7169 Fix CVE-2018-7169 by applying upstream patch: https://github.com/shadow-maint/shadow/commit/fb28c99b8a66ff2605c5cb96abc0a4d975f92de0 Bug: https://bugs.gentoo.org/647790 Package-Manager: Portage-2.3.19, Repoman-2.3.6 Closes: https://github.com/gentoo/gentoo/pull/7203 .../shadow/files/shadow-4.5-CVE-2018-7169.patch | 180 ++++++++++++++++++ sys-apps/shadow/shadow-4.5-r1.ebuild | 210 +++++++++++++++++++++ 2 files changed, 390 insertions(+)} ping, why isn't this proceeding to stabilization still? The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ec0a8306f712c40b6b84d721b4ed70d9f4703e8b commit ec0a8306f712c40b6b84d721b4ed70d9f4703e8b Author: Lars Wendler <polynomial-c@gentoo.org> AuthorDate: 2018-04-30 16:02:31 +0000 Commit: Lars Wendler <polynomial-c@gentoo.org> CommitDate: 2018-04-30 16:05:03 +0000 sys-apps/shadow: Security bump to version 4.6 Bug: https://bugs.gentoo.org/647790 Bug: https://bugs.gentoo.org/635750 Package-Manager: Portage-2.3.31, Repoman-2.3.9 sys-apps/shadow/Manifest | 1 + sys-apps/shadow/shadow-4.6.ebuild | 211 ++++++++++++++++++++++++++++++++++++++ 2 files changed, 212 insertions(+)} @arches, please stabilize. amd64 stable (In reply to Mikle Kolyada from comment #6) > amd64 stable Apparently the keywords were not transfered to the tree: Keywords: 4.5:0: alpha amd64 arm arm64 hppa ia64 ppc ppc64 sparc x86 Keywords: 4.5-r1:0: Keywords: 4.6:0: ~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 Head commit of repository gentoo: dd8bdb3d06e678c08a63a9a3b9cb3ee427bc06de The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=eb8f512705014448527ecdc9d3ab477abbaa13d5 commit eb8f512705014448527ecdc9d3ab477abbaa13d5 Author: Sergei Trofimovich <slyfox@gentoo.org> AuthorDate: 2018-05-01 08:09:21 +0000 Commit: Sergei Trofimovich <slyfox@gentoo.org> CommitDate: 2018-05-01 08:09:21 +0000 sys-apps/shadow: stable 4.6 for ia64, bug #647790 Bug: https://bugs.gentoo.org/647790 Package-Manager: Portage-2.3.31, Repoman-2.3.9 RepoMan-Options: --include-arches="ia64" sys-apps/shadow/shadow-4.6.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) arm64 stable x86 stable arm stable The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7f28c89dd338a3ac67cfc436b30f9515ae9198de commit 7f28c89dd338a3ac67cfc436b30f9515ae9198de Author: Rolf Eike Beer <eike@sf-mail.de> AuthorDate: 2018-05-07 22:29:54 +0000 Commit: Sergei Trofimovich <slyfox@gentoo.org> CommitDate: 2018-05-08 06:23:23 +0000 sys-apps/shadow: stable 4.6 for sparc Bug: https://bugs.gentoo.org/647790 Package-Manager: Portage-2.3.24, Repoman-2.3.6 RepoMan-Options: --include-arches="sparc" sys-apps/shadow/shadow-4.6.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e5c1ee8f4e5d7567ad2710cd8dd9922a05f5e5f7 commit e5c1ee8f4e5d7567ad2710cd8dd9922a05f5e5f7 Author: Sergei Trofimovich <slyfox@gentoo.org> AuthorDate: 2018-05-11 22:56:15 +0000 Commit: Sergei Trofimovich <slyfox@gentoo.org> CommitDate: 2018-05-11 22:56:15 +0000 sys-apps/shadow: stable 4.6 for ppc, bug #647790 Bug: https://bugs.gentoo.org/647790 Package-Manager: Portage-2.3.36, Repoman-2.3.9 RepoMan-Options: --include-arches="ppc" sys-apps/shadow/shadow-4.6.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) Stable on alpha. commit 60615b2d4290cf0f171f0cbe7948a47ada73376b Author: Mike Frysinger <vapier@gentoo.org> Date: Mon May 21 04:50:24 2018 -0400 sys-apps/shadow: mark 4.5/4.6 m68k/s390/sh stable GLSA is ready for review This issue was resolved and addressed in GLSA 201805-09 at https://security.gentoo.org/glsa/201805-09 by GLSA coordinator Aaron Bauman (b-man). |