CVE-2017-12424 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12424): In shadow before 4.5, the newusers tool could be made to manipulate internal data structures in ways unintended by the authors. Malformed input may lead to crashes (with a buffer overflow or other memory corruption) or other unspecified behaviors. This crosses a privilege boundary in, for example, certain web-hosting environments in which a Control Panel allows an unprivileged user account to create subaccounts. References: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=756630 https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1266675 https://github.com/shadow-maint/shadow/commit/954e3d2e7113e9ac06632aee3c69b8d818cc8952
@ Arches, please test and mark stable: =sys-apps/shadow-4.5
ia64 stable
arm stable
amd64 stable
x86 stable
alpha stable
sparc was dropped to exp. https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b5901d8f716555a1479f12313a2925fcadd177a9
ppc64 stable
ppc stable
hppa stable
GLSA requested filed.
This issue was resolved and addressed in GLSA 201710-16 at https://security.gentoo.org/glsa/201710-16 by GLSA coordinator Aaron Bauman (b-man).
re-opening for cleanup or mask.
sparc stable (thanks to Rolf Eike Beer)
arm64 stable; cleanup should be more possible now.
All done, thank you all.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3639511fbbd747f125d97f46fb70169333366a80 commit 3639511fbbd747f125d97f46fb70169333366a80 Author: Aaron Bauman <bman@gentoo.org> AuthorDate: 2018-04-08 17:06:53 +0000 Commit: Aaron Bauman <bman@gentoo.org> CommitDate: 2018-04-09 00:04:02 +0000 sys-apps/shadow: drop vulnerable Bug: https://bugs.gentoo.org/627044 Package-Manager: Portage-2.3.28, Repoman-2.3.9 Closes: https://github.com/gentoo/gentoo/pull/7882 sys-apps/shadow/Manifest | 1 - sys-apps/shadow/shadow-4.4-r2.ebuild | 213 ----------------------------------- 2 files changed, 214 deletions(-)}