LinuxSecurity.com
Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Welcome!
Sign up!
EnGarde Community
Login
Polls
What is the most important Linux security technology?
 
Advisories
Community
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
SELinux
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Securitydistro
Latest Newsletters
Linux Advisory Watch: October 31st, 2014
Linux Security Week: October 27th, 2014
Subscribe
LinuxSecurity Newsletters
E-mail:
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

  
Ubuntu: 1065-1: shadow vulnerability Print E-mail
User Rating:      How can I rate this item?
Posted by Benjamin D. Thomas   
Ubuntu Kees Cook discovered that some shadow utilities did not correctly validateuser input. A local attacker could exploit this flaw to inject newlines intothe /etc/passwd file. If the system was configured to use NIS, this couldlead to existing NIS groups or users gaining or losing access to the system,resulting in a denial of service or unauthorized access. [More...]
===========================================================
Ubuntu Security Notice USN-1065-1         February 15, 2011
shadow vulnerability
CVE-2011-0721
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 9.10
Ubuntu 10.04 LTS
Ubuntu 10.10

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 9.10:
  passwd                          1:4.1.4.1-1ubuntu2.2

Ubuntu 10.04 LTS:
  passwd                          1:4.1.4.2-1ubuntu2.2

Ubuntu 10.10:
  passwd                          1:4.1.4.2-1ubuntu3.2

In general, a standard system update will make all the necessary changes.

Details follow:

Kees Cook discovered that some shadow utilities did not correctly validate
user input. A local attacker could exploit this flaw to inject newlines into
the /etc/passwd file. If the system was configured to use NIS, this could
lead to existing NIS groups or users gaining or losing access to the system,
resulting in a denial of service or unauthorized access.


Updated packages for Ubuntu 9.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/s/shadow/shadow_4.1.4.1-1ubuntu2.2.diff.gz
      Size/MD5:    80909 51c66e9b503868bdedd54efe4928cfa3
    http://security.ubuntu.com/ubuntu/pool/main/s/shadow/shadow_4.1.4.1-1ubuntu2.2.dsc
      Size/MD5:     2349 aafbd5790c84b6d4c4ca8e26d5c22198
    http://security.ubuntu.com/ubuntu/pool/main/s/shadow/shadow_4.1.4.1.orig.tar.gz
      Size/MD5:  2781704 9f7882c359156aef377cbe9ffac9353e

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/s/shadow/login_4.1.4.1-1ubuntu2.2_amd64.deb
      Size/MD5:   320530 263ed41dfe971c3996b93b4497050089
    http://security.ubuntu.com/ubuntu/pool/main/s/shadow/passwd_4.1.4.1-1ubuntu2.2_amd64.deb
      Size/MD5:   954262 c01298f5056b5a917106e294ca1872b8

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/s/shadow/login_4.1.4.1-1ubuntu2.2_i386.deb
      Size/MD5:   311918 9e71b023fd5e25ce6c1e49d51debb33b
    http://security.ubuntu.com/ubuntu/pool/main/s/shadow/passwd_4.1.4.1-1ubuntu2.2_i386.deb
      Size/MD5:   875522 f0f66df1a33eeab27ced964bdd0e83b1

  armel architecture (ARM Architecture):

    http://ports.ubuntu.com/pool/main/s/shadow/login_4.1.4.1-1ubuntu2.2_armel.deb
      Size/MD5:   313518 c2c22045cd6e83fbd524251b348799d8
    http://ports.ubuntu.com/pool/main/s/shadow/passwd_4.1.4.1-1ubuntu2.2_armel.deb
      Size/MD5:   845826 eab58be5d011f6e9cdca11f3d3031ab5

  lpia architecture (Low Power Intel Architecture):

    http://ports.ubuntu.com/pool/main/s/shadow/login_4.1.4.1-1ubuntu2.2_lpia.deb
      Size/MD5:   310598 de603be6f2e72a4f3086e8d5851505be
    http://ports.ubuntu.com/pool/main/s/shadow/passwd_4.1.4.1-1ubuntu2.2_lpia.deb
      Size/MD5:   878912 ec0a4cfb27bc68adeca780e997b5d5aa

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://ports.ubuntu.com/pool/main/s/shadow/login_4.1.4.1-1ubuntu2.2_powerpc.deb
      Size/MD5:   316752 1b15b43bca6e7bd1454fafad22ea9aad
    http://ports.ubuntu.com/pool/main/s/shadow/passwd_4.1.4.1-1ubuntu2.2_powerpc.deb
      Size/MD5:   905518 6b5100df7648271fdb6427a75c08d8c4

  sparc architecture (Sun SPARC/UltraSPARC):

    http://ports.ubuntu.com/pool/main/s/shadow/login_4.1.4.1-1ubuntu2.2_sparc.deb
      Size/MD5:   315378 a9670dab758ba0cf07194c51b13f3648
    http://ports.ubuntu.com/pool/main/s/shadow/passwd_4.1.4.1-1ubuntu2.2_sparc.deb
      Size/MD5:   888354 e9dd9dd30efa1a744f824b0fa4cbc809

Updated packages for Ubuntu 10.04 LTS:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/s/shadow/shadow_4.1.4.2-1ubuntu2.2.diff.gz
      Size/MD5:    81829 877012c903d9fdcce5d77f017f2f0584
    http://security.ubuntu.com/ubuntu/pool/main/s/shadow/shadow_4.1.4.2-1ubuntu2.2.dsc
      Size/MD5:     2349 788910a4c21d47240c4540f597c3fd72
    http://security.ubuntu.com/ubuntu/pool/main/s/shadow/shadow_4.1.4.2.orig.tar.gz
      Size/MD5:  2814130 0d9a6f7b631f3f3673c263685a0a6ab3

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/s/shadow/login_4.1.4.2-1ubuntu2.2_amd64.deb
      Size/MD5:   323954 3c8b86ff34b431a45bfa0bf24478142f
    http://security.ubuntu.com/ubuntu/pool/main/s/shadow/passwd_4.1.4.2-1ubuntu2.2_amd64.deb
      Size/MD5:   953290 60cd08b5dde3b45130d6828e9c6db01d

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/s/shadow/login_4.1.4.2-1ubuntu2.2_i386.deb
      Size/MD5:   316222 4b6a57b7eeacf397636968ea58281df2
    http://security.ubuntu.com/ubuntu/pool/main/s/shadow/passwd_4.1.4.2-1ubuntu2.2_i386.deb
      Size/MD5:   880966 7332752fb2e57abc7132417ed1ad06f8

  armel architecture (ARM Architecture):

    http://ports.ubuntu.com/pool/main/s/shadow/login_4.1.4.2-1ubuntu2.2_armel.deb
      Size/MD5:   312008 8484b8f77c40cda30024411f03ca4f6e
    http://ports.ubuntu.com/pool/main/s/shadow/passwd_4.1.4.2-1ubuntu2.2_armel.deb
      Size/MD5:   829560 9f8db25cb484127c429a9674fdabbb10

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://ports.ubuntu.com/pool/main/s/shadow/login_4.1.4.2-1ubuntu2.2_powerpc.deb
      Size/MD5:   321074 bc4e6014a69cb9ffddc65848e5212fb5
    http://ports.ubuntu.com/pool/main/s/shadow/passwd_4.1.4.2-1ubuntu2.2_powerpc.deb
      Size/MD5:   911044 0b8e35f307352f016cdb4631ab784ad8

  sparc architecture (Sun SPARC/UltraSPARC):

    http://ports.ubuntu.com/pool/main/s/shadow/login_4.1.4.2-1ubuntu2.2_sparc.deb
      Size/MD5:   320850 3e556c22497e3bf24c6e564cbc3a3584
    http://ports.ubuntu.com/pool/main/s/shadow/passwd_4.1.4.2-1ubuntu2.2_sparc.deb
      Size/MD5:   905208 3509d3258ea5cd7ff039b40395a8984b

Updated packages for Ubuntu 10.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/s/shadow/shadow_4.1.4.2-1ubuntu3.2.diff.gz
      Size/MD5:    83284 485ba5d567bcbb68a685dd8f9f40eaac
    http://security.ubuntu.com/ubuntu/pool/main/s/shadow/shadow_4.1.4.2-1ubuntu3.2.dsc
      Size/MD5:     2349 a177312225cbe835e8254594f4111d07
    http://security.ubuntu.com/ubuntu/pool/main/s/shadow/shadow_4.1.4.2.orig.tar.gz
      Size/MD5:  2814130 0d9a6f7b631f3f3673c263685a0a6ab3

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/s/shadow/login_4.1.4.2-1ubuntu3.2_amd64.deb
      Size/MD5:   323220 24e39284c75d8bc4843fe1b50fd4af8f
    http://security.ubuntu.com/ubuntu/pool/main/s/shadow/passwd_4.1.4.2-1ubuntu3.2_amd64.deb
      Size/MD5:   947490 23d90978d09f4eb69da19f0d69e01ec0

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/s/shadow/login_4.1.4.2-1ubuntu3.2_i386.deb
      Size/MD5:   315420 4248e3f5a3c8907827638495aa297f4c
    http://security.ubuntu.com/ubuntu/pool/main/s/shadow/passwd_4.1.4.2-1ubuntu3.2_i386.deb
      Size/MD5:   874946 458018527de7ce63d32d64df46642c2e

  armel architecture (ARM Architecture):

    http://ports.ubuntu.com/pool/main/s/shadow/login_4.1.4.2-1ubuntu3.2_armel.deb
      Size/MD5:   315662 8893fec2e8edcc2d8bdfe561c2b45668
    http://ports.ubuntu.com/pool/main/s/shadow/passwd_4.1.4.2-1ubuntu3.2_armel.deb
      Size/MD5:   814020 b07e09efc999c9740e173fbd13a1b7ed

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://ports.ubuntu.com/pool/main/s/shadow/login_4.1.4.2-1ubuntu3.2_powerpc.deb
      Size/MD5:   320144 f42ca08e0edfe785e497212e15fc1fce
    http://ports.ubuntu.com/pool/main/s/shadow/passwd_4.1.4.2-1ubuntu3.2_powerpc.deb
      Size/MD5:   904472 718775b17b340c8489f12945edb40ddb


 
< Prev   Next >
    
Partner

 

Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Yesterday's Edition
Pirate Bay founder guilty in historic hacker case
Parallels CTO: Linux container security is not the problem
Advisory says to assume all Drupal 7 websites are compromised
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2014 Guardian Digital, Inc. All rights reserved.