– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
Gentoo Linux Security Advisory GLSA 201710-16
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
https://security.gentoo.org/
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –

Severity: Normal
Title: Shadow: Buffer overflow
Date: October 15, 2017
Bugs: #627044
ID: 201710-16

– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –

Synopsis
========

A vulnerability found in Shadow may allow remote attackers to cause a
Denial of Service condition or produce other unspecified behaviors.

Background
==========

Shadow is a set of tools to deal with user accounts.

Affected packages
=================

——————————————————————-
Package / Vulnerable / Unaffected
——————————————————————-
1 sys-apps/shadow < 4.5 >= 4.5

Description
===========

Malformed input in the newusers tool may produce crashes and other
unspecified behaviors.

Impact
======

A remote attacker could possibly cause a Denial of Service condition or
bypass privilege boundaries in some web-hosting environments in which a
Control Panel allows an unprivileged user account to create
subaccounts.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All Shadow users should upgrade to the latest version:

# emerge –sync
# emerge –ask –oneshot –verbose “>=sys-apps/shadow-4.5”

References
==========

[ 1 ] CVE-2017-12424
https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-12424

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/201710-16

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users’ machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2017 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons – Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5—–BEGIN PGP SIGNATURE—–

iQEzBAABCAAdFiEEiDRK3jyVBE/RkymqpRQw84X1dt0FAlnjwpgACgkQpRQw84X1
dt3gDgf8D2c1LqRGkqPsJS1vZ3WStsxrpvvtvGOm3qEifukgig/lVqKyYMItWypj
1vaTHeUgxOv6S29+OmBADMYZ5d17PHaVljt0d0DNP7OFQ5NSayKsMhajNMv5npbp
I/X7nT0FAr3eikfHH2npwBVCZq+JLujjrFrEqq2+yoyV2Rn303a0xCxgWgDskSft
Ia8a2hx/mUHV2C9ZokL18hnkyJ31FVkhuYfD7718pt90W1SzQADGHNB9DSUNhN7t
GsjMJ8iN7rLZXQhIoawFEqoka6JPZctygLts46861AKjH5gJIMe2no4KPUyHCA3g
TVsj+ER0W9acDKl92gOfJBJae5C4TA==
=3fKl
—–END PGP SIGNATURE—–