Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

MDKSA-2004:126 - Updated shadow-utils packages fix security bypass vulnerability
From: Mandrake Linux Security Team <security () linux-mandrake com>
Date: 5 Nov 2004 00:06:35 -0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

                 Mandrakelinux Security Update Advisory
 _______________________________________________________________________

 Package name:           shadow-utils
 Advisory ID:            MDKSA-2004:126
 Date:                   November 4th, 2004

 Affected versions:      10.0, 10.1, 9.2, Corporate Server 2.1,
                         Multi Network Firewall 8.2
 ______________________________________________________________________

 Problem Description:

 A vulnerability in the shadow suite was discovered by Martin Schulze
 that can be exploited by local users to bypass certain security
 restrictions due to an input validation error in the passwd_check()
 function.  This function is used by the chfn and chsh tools.
 
 The updated packages have been patched to prevent this problem.
 _______________________________________________________________________

 References:

  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1001
  http://secunia.com/advisories/13028
 ______________________________________________________________________

 Updated Packages:
  
 Mandrakelinux 10.0:
 0ba43408dbd43f4cb91f0409c55d2a33  10.0/RPMS/shadow-utils-4.0.3-8.1.100mdk.i586.rpm
 b614188ebd45398b9211c623703e192f  10.0/SRPMS/shadow-utils-4.0.3-8.1.100mdk.src.rpm

 Mandrakelinux 10.0/AMD64:
 ab7dd6ff065b58c3566cb7b22d3621f9  amd64/10.0/RPMS/shadow-utils-4.0.3-8.1.100mdk.amd64.rpm
 b614188ebd45398b9211c623703e192f  amd64/10.0/SRPMS/shadow-utils-4.0.3-8.1.100mdk.src.rpm

 Mandrakelinux 10.1:
 f4eb58ab0b8da58a33ce2c0cf4c7d87f  10.1/RPMS/shadow-utils-4.0.3-8.1.101mdk.i586.rpm
 89fe1fc7fe11812bd4a1ae913334d7f6  10.1/SRPMS/shadow-utils-4.0.3-8.1.101mdk.src.rpm

 Mandrakelinux 10.1/X86_64:
 e99e42d23e61c94beeeaf4a34c87bf03  x86_64/10.1/RPMS/shadow-utils-4.0.3-8.1.101mdk.x86_64.rpm
 89fe1fc7fe11812bd4a1ae913334d7f6  x86_64/10.1/SRPMS/shadow-utils-4.0.3-8.1.101mdk.src.rpm

 Corporate Server 2.1:
 6af1c44ec3708155e84453f24d02ecaf  corporate/2.1/RPMS/shadow-utils-20000902-10.1.C21mdk.i586.rpm
 fda9c8a42041a45fce3b89ac7c5fa4bc  corporate/2.1/SRPMS/shadow-utils-20000902-10.1.C21mdk.src.rpm

 Corporate Server 2.1/x86_64:
 793499a2e451a4e094071ec99b5e938c  x86_64/corporate/2.1/RPMS/shadow-utils-20000902-10.1.C21mdk.x86_64.rpm
 fda9c8a42041a45fce3b89ac7c5fa4bc  x86_64/corporate/2.1/SRPMS/shadow-utils-20000902-10.1.C21mdk.src.rpm

 Mandrakelinux 9.2:
 24cf182746a19950907d229076a36a50  9.2/RPMS/shadow-utils-4.0.3-5.1.92mdk.i586.rpm
 002303dab59ab225b54c7326e65fd6e2  9.2/SRPMS/shadow-utils-4.0.3-5.1.92mdk.src.rpm

 Mandrakelinux 9.2/AMD64:
 cb2c6e2a866acd66b199d26c931156ed  amd64/9.2/RPMS/shadow-utils-4.0.3-5.1.92mdk.amd64.rpm
 002303dab59ab225b54c7326e65fd6e2  amd64/9.2/SRPMS/shadow-utils-4.0.3-5.1.92mdk.src.rpm

 Multi Network Firewall 8.2:
 b37dbc5eeb09399f5227559779b1c7d9  mnf8.2/RPMS/shadow-utils-20000902-5.2.M82mdk.i586.rpm
 bbe070cc85b48a9f79234aded8d14d3f  mnf8.2/SRPMS/shadow-utils-20000902-5.2.M82mdk.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrakeUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandrakesoft for security.  You can obtain
 the GPG public key of the Mandrakelinux Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandrakelinux at:

  http://www.mandrakesoft.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_linux-mandrake.com

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Linux Mandrake Security Team
  <security linux-mandrake.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFBisQLmqjQ0CJFipgRAjxnAKDiPNuXFGPdoCAABaiKY1H2ACZA/gCfdeSK
+ORdEraVt0csvxhtJmKs6E8=
=/q0Z
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
  • MDKSA-2004:126 - Updated shadow-utils packages fix security bypass vulnerability Mandrake Linux Security Team (Nov 05)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]