Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 627044 (CVE-2017-12424) - <sys-apps/shadow-4.5: newusers tool could be made to manipulate internal data structures (CVE-2017-12424)
Summary: <sys-apps/shadow-4.5: newusers tool could be made to manipulate internal data...
Alias: CVE-2017-12424
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: A2 [glsa+ cve]
Depends on:
Reported: 2017-08-04 09:57 UTC by Aleksandr Wagner (Kivak)
Modified: 2018-04-09 00:04 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---
stable-bot: sanity-check+


Note You need to log in before you can comment on or make changes to this bug.
Description Aleksandr Wagner (Kivak) 2017-08-04 09:57:45 UTC
CVE-2017-12424 (

In shadow before 4.5, the newusers tool could be made to manipulate internal data structures in ways unintended by the authors. Malformed input may lead to crashes (with a buffer overflow or other memory corruption) or other unspecified behaviors. This crosses a privilege boundary in, for example, certain web-hosting environments in which a Control Panel allows an unprivileged user account to create subaccounts. 

Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2017-08-04 12:39:28 UTC
@ Arches,

please test and mark stable: =sys-apps/shadow-4.5
Comment 2 Sergei Trofimovich (RETIRED) gentoo-dev 2017-08-05 18:10:40 UTC
ia64 stable
Comment 3 Markus Meier gentoo-dev 2017-08-08 04:33:02 UTC
arm stable
Comment 4 Richard Freeman gentoo-dev 2017-08-09 16:34:24 UTC
amd64 stable
Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev 2017-08-18 20:11:07 UTC
x86 stable
Comment 6 Matt Turner gentoo-dev 2017-08-25 22:35:21 UTC
alpha stable
Comment 7 Aaron Bauman (RETIRED) gentoo-dev 2017-09-10 22:12:42 UTC
sparc was dropped to exp.
Comment 8 Sergei Trofimovich (RETIRED) gentoo-dev 2017-09-24 19:44:01 UTC
ppc64 stable
Comment 9 Sergei Trofimovich (RETIRED) gentoo-dev 2017-09-27 09:13:50 UTC
ppc stable
Comment 10 Sergei Trofimovich (RETIRED) gentoo-dev 2017-10-13 19:53:35 UTC
hppa stable
Comment 11 Aaron Bauman (RETIRED) gentoo-dev 2017-10-13 22:38:32 UTC
GLSA requested filed.
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2017-10-15 20:18:49 UTC
This issue was resolved and addressed in
 GLSA 201710-16 at
by GLSA coordinator Aaron Bauman (b-man).
Comment 13 Aaron Bauman (RETIRED) gentoo-dev 2017-10-15 20:19:57 UTC
re-opening for cleanup or mask.
Comment 14 Sergei Trofimovich (RETIRED) gentoo-dev 2017-10-31 22:42:51 UTC
sparc stable (thanks to Rolf Eike Beer)
Comment 15 Mart Raudsepp gentoo-dev 2018-03-05 00:37:40 UTC
arm64 stable; cleanup should be more possible now.
Comment 16 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2018-04-08 17:00:31 UTC
All done, thank you all.
Comment 17 Larry the Git Cow gentoo-dev 2018-04-09 00:04:11 UTC
The bug has been referenced in the following commit(s):

commit 3639511fbbd747f125d97f46fb70169333366a80
Author:     Aaron Bauman <>
AuthorDate: 2018-04-08 17:06:53 +0000
Commit:     Aaron Bauman <>
CommitDate: 2018-04-09 00:04:02 +0000

    sys-apps/shadow: drop vulnerable
    Package-Manager: Portage-2.3.28, Repoman-2.3.9

 sys-apps/shadow/Manifest             |   1 -
 sys-apps/shadow/shadow-4.4-r2.ebuild | 213 -----------------------------------
 2 files changed, 214 deletions(-)}