Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 830486 (CVE-2013-4235)

Summary: <sys-apps/shadow-4.12.2: TOCTOU race condition in usermod/userdel (CVE-2013-4235)
Product: Gentoo Security Reporter: Sam James <sam>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: base-system
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: A3 [glsa+]
Package list:
Runtime testing required: ---
Bug Depends on: 831980, 867358    
Bug Blocks:    

Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-01-03 05:07:26 UTC
A TOCTOU race condition was discovered in shadow-utils. A local attacker with write privileges in a directory removed or copied by usermod/userdel could potentially exploit this flaw, when the administrator invokes usermod/userdel, to delete or modify other files on the system.
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-08-18 22:07:50 UTC
4.12.2 contains https://github.com/shadow-maint/shadow/pull/545. I'm guessing it was an incomplete fix before.
Comment 2 Larry the Git Cow gentoo-dev 2022-08-18 23:08:00 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=620576deeeeafb1f79930a822959b80ec57b40ab

commit 620576deeeeafb1f79930a822959b80ec57b40ab
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-08-18 22:29:49 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-08-18 23:07:03 +0000

    sys-apps/shadow: add 4.12.2
    
    Bug: https://bugs.gentoo.org/830486
    Signed-off-by: Sam James <sam@gentoo.org>

 sys-apps/shadow/Manifest             |   2 +
 sys-apps/shadow/shadow-4.12.2.ebuild | 259 +++++++++++++++++++++++++++++++++++
 2 files changed, 261 insertions(+)
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-09-30 19:58:37 UTC
(In reply to Sam James from comment #1)
> 4.12.2 contains https://github.com/shadow-maint/shadow/pull/545. I'm
> guessing it was an incomplete fix before.

"Well, that was papering it over.

Let's say you are deleting user joe, but user joe had a file owned by user mitch. dcca865 would force joe's processes to be killed, but user mitch might in theory be able to use the TOCTTOU to make bad things happen. This PR actually addresses the TOCTTOU itself."
Comment 4 Larry the Git Cow gentoo-dev 2022-10-31 01:41:44 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=ca82b22f363882c75c7932c5a53e38ceb60b42e2

commit ca82b22f363882c75c7932c5a53e38ceb60b42e2
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-10-31 01:22:12 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-10-31 01:40:16 +0000

    [ GLSA 202210-26 ] Shadow: TOCTOU Race
    
    Bug: https://bugs.gentoo.org/830486
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202210-26.xml | 42 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 42 insertions(+)
Comment 5 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-31 02:21:41 UTC
GLSA released, all done!