In shadow before 4.5, the newusers tool could be made to manipulate internal data structures in ways unintended by the authors. Malformed input may lead to crashes (with a buffer overflow or other memory corruption) or other unspecified behaviors. This crosses a privilege boundary in, for example, certain web-hosting environments in which a Control Panel allows an unprivileged user account to create subaccounts.
please test and mark stable: =sys-apps/shadow-4.5
sparc was dropped to exp.
GLSA requested filed.
This issue was resolved and addressed in
GLSA 201710-16 at https://security.gentoo.org/glsa/201710-16
by GLSA coordinator Aaron Bauman (b-man).
re-opening for cleanup or mask.
sparc stable (thanks to Rolf Eike Beer)
arm64 stable; cleanup should be more possible now.
All done, thank you all.
The bug has been referenced in the following commit(s):
Author: Aaron Bauman <email@example.com>
AuthorDate: 2018-04-08 17:06:53 +0000
Commit: Aaron Bauman <firstname.lastname@example.org>
CommitDate: 2018-04-09 00:04:02 +0000
sys-apps/shadow: drop vulnerable
Package-Manager: Portage-2.3.28, Repoman-2.3.9
sys-apps/shadow/Manifest | 1 -
sys-apps/shadow/shadow-4.4-r2.ebuild | 213 -----------------------------------
2 files changed, 214 deletions(-)}