LinuxSecurity.com 		Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Welcome!
Sign up!
EnGarde Community
Login
Polls
What is the most important Linux security technology?
 
Advisories
Community
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
SELinux
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Securitydistro
Latest Newsletters
Linux Security Week: June 29th, 2009
Linux Advisory Watch: June 26th, 2009
Subscribe
LinuxSecurity Newsletters
E-mail:
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

  
RedHat: Low: shadow-utils security and bug fix update Print E-mail
User Rating:      How can I rate this item?
Posted by Benjamin D. Thomas   
RedHat Linux An updated shadow-utils package that fixes a security issue and several bugs is now available.A flaw was found in the useradd tool in shadow-utils. A new user's mailbox, when created, could have random permissions for a short period. This could allow a local attacker to read or modify the mailbox. This update has been rated as having low security impact by the Red Hat Security Response Team. 
- ---------------------------------------------------------------------
                   Red Hat Security Advisory

Synopsis:          Low: shadow-utils security and bug fix update
Advisory ID:       RHSA-2007:0431-01
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2007-0431.html
Issue date:        2007-06-07
Updated on:        2007-06-11
Product:           Red Hat Enterprise Linux
Keywords:          mailbox race condition
CVE Names:         CVE-2006-1174 
- ---------------------------------------------------------------------

1. Summary:

An updated shadow-utils package that fixes a security issue and several
bugs is now available.

This update has been rated as having low security impact by the Red Hat
Security Response Team.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, s390, s390x, x86_64
Red Hat Desktop version 3 - i386, x86_64
Red Hat Enterprise Linux ES version 3 - i386, ia64, x86_64
Red Hat Enterprise Linux WS version 3 - i386, ia64, x86_64

3. Problem description:

The shadow-utils package includes the necessary programs for converting
UNIX password files to the shadow password format, as well as programs 
for managing user and group accounts. 

A flaw was found in the useradd tool in shadow-utils. A new user's
mailbox, when created, could have random permissions for a short period.
This could allow a local attacker to read or modify the mailbox.
(CVE-2006-1174)

This update also fixes the following bugs:

* shadow-utils debuginfo package was empty.

* chage.1 and chage -l gave incorrect information about sp_inact.

All users of shadow-utils are advised to upgrade to this updated 
package, which contains backported patches to resolve these issues.

4. Solution:

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.  Use Red Hat
Network to download and update your packages.  To launch the Red Hat
Update Agent, use the following command:

    up2date

For information on how to install packages manually, refer to the
following Web page for the System Administration or Customization
guide specific to your system:

    http://www.redhat.com/docs/manuals/enterprise/

5. Bug IDs fixed (http://bugzilla.redhat.com/):

176949 - shadow-utils-debuginfo is empty
216635 - chage does not show the Account Expires if its shadow field is 0.
229194 - CVE-2006-1174 shadow-utils mailbox creation race condition

6. RPMs required:

Red Hat Enterprise Linux AS version 3:

SRPMS:
ftp://updates.redhat.com/enterprise/3AS/en/os/SRPMS/shadow-utils-4.0.3-29.RHEL3.src.rpm
966d844be451d09e732289fcf217af85  shadow-utils-4.0.3-29.RHEL3.src.rpm

i386:
70b7cf4df9bd1bee11c1f290ae3a1bbe  shadow-utils-4.0.3-29.RHEL3.i386.rpm
2878f009ae2277881d44c4f05fec1671  shadow-utils-debuginfo-4.0.3-29.RHEL3.i386.rpm

ia64:
83ccf4e549535ebe265043c2ebdd6a40  shadow-utils-4.0.3-29.RHEL3.ia64.rpm
5f83cb4808a46b52282e1acbce406a70  shadow-utils-debuginfo-4.0.3-29.RHEL3.ia64.rpm

ppc:
c686de929e196cd87b203e1ab85bbd01  shadow-utils-4.0.3-29.RHEL3.ppc.rpm
1a7206beb87ea524d7fafa5f69a7beff  shadow-utils-debuginfo-4.0.3-29.RHEL3.ppc.rpm

s390:
7badcd687970e0393547cac663e4d5b8  shadow-utils-4.0.3-29.RHEL3.s390.rpm
a24128e6b4f152c0cdbeec5d671b6578  shadow-utils-debuginfo-4.0.3-29.RHEL3.s390.rpm

s390x:
cdd3cc34271e7b59c0374f03a46e8715  shadow-utils-4.0.3-29.RHEL3.s390x.rpm
107d87178483ddb3c93342dfb7ba5120  shadow-utils-debuginfo-4.0.3-29.RHEL3.s390x.rpm

x86_64:
e6661e59bc80a8bb3f49566183a082a0  shadow-utils-4.0.3-29.RHEL3.x86_64.rpm
a380a8d6aabd84211c8b5850299a3ea1  shadow-utils-debuginfo-4.0.3-29.RHEL3.x86_64.rpm

Red Hat Desktop version 3:

SRPMS:
ftp://updates.redhat.com/enterprise/3desktop/en/os/SRPMS/shadow-utils-4.0.3-29.RHEL3.src.rpm
966d844be451d09e732289fcf217af85  shadow-utils-4.0.3-29.RHEL3.src.rpm

i386:
70b7cf4df9bd1bee11c1f290ae3a1bbe  shadow-utils-4.0.3-29.RHEL3.i386.rpm
2878f009ae2277881d44c4f05fec1671  shadow-utils-debuginfo-4.0.3-29.RHEL3.i386.rpm

x86_64:
e6661e59bc80a8bb3f49566183a082a0  shadow-utils-4.0.3-29.RHEL3.x86_64.rpm
a380a8d6aabd84211c8b5850299a3ea1  shadow-utils-debuginfo-4.0.3-29.RHEL3.x86_64.rpm

Red Hat Enterprise Linux ES version 3:

SRPMS:
ftp://updates.redhat.com/enterprise/3ES/en/os/SRPMS/shadow-utils-4.0.3-29.RHEL3.src.rpm
966d844be451d09e732289fcf217af85  shadow-utils-4.0.3-29.RHEL3.src.rpm

i386:
70b7cf4df9bd1bee11c1f290ae3a1bbe  shadow-utils-4.0.3-29.RHEL3.i386.rpm
2878f009ae2277881d44c4f05fec1671  shadow-utils-debuginfo-4.0.3-29.RHEL3.i386.rpm

ia64:
83ccf4e549535ebe265043c2ebdd6a40  shadow-utils-4.0.3-29.RHEL3.ia64.rpm
5f83cb4808a46b52282e1acbce406a70  shadow-utils-debuginfo-4.0.3-29.RHEL3.ia64.rpm

x86_64:
e6661e59bc80a8bb3f49566183a082a0  shadow-utils-4.0.3-29.RHEL3.x86_64.rpm
a380a8d6aabd84211c8b5850299a3ea1  shadow-utils-debuginfo-4.0.3-29.RHEL3.x86_64.rpm

Red Hat Enterprise Linux WS version 3:

SRPMS:
ftp://updates.redhat.com/enterprise/3WS/en/os/SRPMS/shadow-utils-4.0.3-29.RHEL3.src.rpm
966d844be451d09e732289fcf217af85  shadow-utils-4.0.3-29.RHEL3.src.rpm

i386:
70b7cf4df9bd1bee11c1f290ae3a1bbe  shadow-utils-4.0.3-29.RHEL3.i386.rpm
2878f009ae2277881d44c4f05fec1671  shadow-utils-debuginfo-4.0.3-29.RHEL3.i386.rpm

ia64:
83ccf4e549535ebe265043c2ebdd6a40  shadow-utils-4.0.3-29.RHEL3.ia64.rpm
5f83cb4808a46b52282e1acbce406a70  shadow-utils-debuginfo-4.0.3-29.RHEL3.ia64.rpm

x86_64:
e6661e59bc80a8bb3f49566183a082a0  shadow-utils-4.0.3-29.RHEL3.x86_64.rpm
a380a8d6aabd84211c8b5850299a3ea1  shadow-utils-debuginfo-4.0.3-29.RHEL3.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and 
details on how to verify the signature are available from
https://www.redhat.com/security/team/key/#package

7. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1174
http://www.redhat.com/security/updates/classification/#low

8. Contact:

The Red Hat security contact is .  More contact
details at https://www.redhat.com/security/team/contact/

Copyright 2007 Red Hat, Inc.
 
< Prev   Next >
    
Partner:

 
Latest Features
Review: Googling Security: How Much Does Google Know About You
A Secure Nagios Server
Never Installed a Firewall on Ubuntu? Try Firestarter
Review: Hacking Exposed Linux, Third Edition
Security Features of Firefox 3.0
Review: The Book of Wireless
April 2008 Open Source Tool of the Month: sudo
Yesterday's Edition

QuickLinks: Comunity , HOWTOs , Blogs , Features , Book Reviews , Networking ,
  Security Projects ,   Latest News ,  Newsletters ,  SELinux ,  Privacy ,  Home,
 Hardening ,   About Us,   Advertise,   Legal Notice,   RSS,   Guardian Digital
  Home Security Systems, Surveillance Cameras

(c)Copyright 2009 Guardian Digital, Inc. All rights reserved.