830486 – (CVE-2013-4235) <sys-apps/shadow-4.12.2: TOCTOU race condition in usermod/userdel (CVE-2013-4235)

Bug 830486 (CVE-2013-4235) - <sys-apps/shadow-4.12.2: TOCTOU race condition in usermod/userdel (CVE-2013-4235)

Summary: <sys-apps/shadow-4.12.2: TOCTOU race condition in usermod/userdel (CVE-2013-4...

Status:	RESOLVED FIXED

Alias:	CVE-2013-4235

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	A3 [glsa+]
Keywords:

Depends on:	831980 867358
Blocks:
	Show dependency tree

Reported:	2022-01-03 05:07 UTC by Sam James
Modified:	2022-10-31 02:21 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sam James archtester

2022-01-03 05:07:26 UTC

A TOCTOU race condition was discovered in shadow-utils. A local attacker with write privileges in a directory removed or copied by usermod/userdel could potentially exploit this flaw, when the administrator invokes usermod/userdel, to delete or modify other files on the system.

Comment 1 Sam James archtester

2022-08-18 22:07:50 UTC

4.12.2 contains https://github.com/shadow-maint/shadow/pull/545. I'm guessing it was an incomplete fix before.

Comment 2 Larry the Git Cow gentoo-dev

2022-08-18 23:08:00 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=620576deeeeafb1f79930a822959b80ec57b40ab

commit 620576deeeeafb1f79930a822959b80ec57b40ab
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-08-18 22:29:49 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-08-18 23:07:03 +0000

    sys-apps/shadow: add 4.12.2
    
    Bug: https://bugs.gentoo.org/830486
    Signed-off-by: Sam James <sam@gentoo.org>

 sys-apps/shadow/Manifest             |   2 +
 sys-apps/shadow/shadow-4.12.2.ebuild | 259 +++++++++++++++++++++++++++++++++++
 2 files changed, 261 insertions(+)

Comment 3 John Helmert III archtester

2022-09-30 19:58:37 UTC

(In reply to Sam James from comment #1)
> 4.12.2 contains https://github.com/shadow-maint/shadow/pull/545. I'm
> guessing it was an incomplete fix before.

"Well, that was papering it over.

Let's say you are deleting user joe, but user joe had a file owned by user mitch. dcca865 would force joe's processes to be killed, but user mitch might in theory be able to use the TOCTTOU to make bad things happen. This PR actually addresses the TOCTTOU itself."

Comment 4 Larry the Git Cow gentoo-dev

2022-10-31 01:41:44 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=ca82b22f363882c75c7932c5a53e38ceb60b42e2

commit ca82b22f363882c75c7932c5a53e38ceb60b42e2
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-10-31 01:22:12 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-10-31 01:40:16 +0000

    [ GLSA 202210-26 ] Shadow: TOCTOU Race
    
    Bug: https://bugs.gentoo.org/830486
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202210-26.xml | 42 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 42 insertions(+)

Comment 5 John Helmert III archtester

2022-10-31 02:21:41 UTC

GLSA released, all done!