Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 133615 - sys-apps/shadow Privilege escalation
Summary: sys-apps/shadow Privilege escalation
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: A1 [glsa] DerCorny
Depends on:
Reported: 2006-05-17 09:50 UTC by Sune Kloppenborg Jeppesen (RETIRED)
Modified: 2006-07-08 20:54 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-05-17 09:50:07 UTC
Reported by Solar Designer on V-S:

This is regarding the patch at:

with the commit message:

"useradd: fixes a potential security problem when mailbox is created in
Patch and comment by Koblinger Egmont <>:
Only two arguments are passed to the open() call though it expects three
because O_CREAT is present. Hence the permission of the file first becomes
some random garbage found on the stack, and an attacker can perhaps open
this file and hold it open for reading or writing before the proper
fchmod() is executed. (Actually, we could also pass the final "mode" to
the open() call and then save the consequent fchmod().)"

which is now being tracked as CERT VU#312962.

The patch forgets to check the return value from fchown() before
proceeding with the fchmod().  We've got a better version of the patch
(essentially a re-implementation of this functionality) here:

As far as I can recall, this re-implementation is originally by Rafal
Wojtczuk and it's been in Owl since 2001:

* Wed Aug 21 2001 Rafal Wojtczuk <>
- fixed mailbox creation, which was wrong in rh patch

(actually committed into Owl in November, 2001).

Also, no, it would not be safe to pass the final mode into open() right
away.  That would open up a race condition, too, where the file might be
read/writable by group root instead of group mail for a moment.
Comment 1 Stefan Cornelius (RETIRED) gentoo-dev 2006-05-18 08:51:02 UTC
vpaier, you are in base-system herd, mind to take a look?
Comment 2 SpanKY gentoo-dev 2006-05-26 00:03:16 UTC
this isnt CONFIDENTIAL as it's been merged in upstream cvs

ive grabbed the upstream fix and added shadow-4.0.15-r2:
Comment 3 Thierry Carrez (RETIRED) gentoo-dev 2006-05-30 11:32:23 UTC
archs please test and mark shadow-4.0.15-r2 stable
Comment 4 Markus Rothe (RETIRED) gentoo-dev 2006-05-30 12:23:51 UTC
stable on ppc64
Comment 5 Luca Barbato gentoo-dev 2006-05-30 13:28:52 UTC
Marked ppc
Comment 6 Chris Gianelloni (RETIRED) gentoo-dev 2006-05-30 14:22:56 UTC
Oh yeah... amd64/x86 done... (sorry for the bug spam)
Comment 7 Gustavo Zacarias (RETIRED) gentoo-dev 2006-05-30 14:26:21 UTC
sparc stable.
Comment 8 Markus Ullmann (RETIRED) gentoo-dev 2006-05-30 15:18:02 UTC
ARM done
Comment 9 Thomas Cort (RETIRED) gentoo-dev 2006-05-31 20:39:29 UTC
alpha stable.
Comment 10 René Nussbaumer (RETIRED) gentoo-dev 2006-06-03 02:45:30 UTC
stable on hppa
Comment 11 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-06-07 07:23:58 UTC
GLSA 200606-02
Comment 12 Joshua Kinard gentoo-dev 2006-07-08 20:54:11 UTC
The mips team doth annoint this bug with the Mark of Stability +1.