Reported by Solar Designer on V-S: This is regarding the patch at: http://cvs.pld.org.pl/shadow/src/useradd.c?r1=1.50&r2=1.51 with the commit message: "useradd: fixes a potential security problem when mailbox is created in useradd. Patch and comment by Koblinger Egmont <egmont@uhulinux.hu>: Only two arguments are passed to the open() call though it expects three because O_CREAT is present. Hence the permission of the file first becomes some random garbage found on the stack, and an attacker can perhaps open this file and hold it open for reading or writing before the proper fchmod() is executed. (Actually, we could also pass the final "mode" to the open() call and then save the consequent fchmod().)" which is now being tracked as CERT VU#312962. The patch forgets to check the return value from fchown() before proceeding with the fchmod(). We've got a better version of the patch (essentially a re-implementation of this functionality) here: http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/shadow-utils/shadow-4.0.4.1-owl-create-mailbox.diff?rev=HEAD As far as I can recall, this re-implementation is originally by Rafal Wojtczuk and it's been in Owl since 2001: * Wed Aug 21 2001 Rafal Wojtczuk <nergal-at-owl.openwall.com> - fixed mailbox creation, which was wrong in rh patch (actually committed into Owl in November, 2001). Also, no, it would not be safe to pass the final mode into open() right away. That would open up a race condition, too, where the file might be read/writable by group root instead of group mail for a moment.
vpaier, you are in base-system herd, mind to take a look?
this isnt CONFIDENTIAL as it's been merged in upstream cvs ive grabbed the upstream fix and added shadow-4.0.15-r2: http://cvs.pld.org.pl/shadow/src/useradd.c?r1=1.93&r2=1.94
archs please test and mark shadow-4.0.15-r2 stable
stable on ppc64
Marked ppc
Oh yeah... amd64/x86 done... (sorry for the bug spam)
sparc stable.
ARM done
alpha stable.
stable on hppa
GLSA 200606-02
The mips team doth annoint this bug with the Mark of Stability +1.