Bug 52968 – shadow: Multiple issues (4.4)

Bug 52968 - shadow: Multiple issues (4.4)


Summary:	shadow: Multiple issues (4.4)

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	Security updates
Version:	UCS 4.4
Hardware:	All Linux

Importance:	P3 normal (vote)
Target Milestone:	UCS 4.4-7-errata
Assigned To:	Quality Assurance
QA Contact:	Erik Damrose

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2021-03-22 10:24 CET by Quality Assurance
Modified:	2021-03-24 15:59 CET (History)
CC List:	0 users

See Also:
What kind of report is it?:	Security Issue
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:	4.5 (CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L) NVD RedHat

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Quality Assurance

2021-03-22 10:24:38 CET

New Debian shadow 1:4.4-4.1+deb9u1 fixes:
This update addresses the following issues:
* Buffer overflow via newusers tool (CVE-2017-12424)
* The Debian shadow package before 1:4.5-1 for Shadow incorrectly lists pts/0  and pts/1 as physical terminals in /etc/securetty. This allows local users  to login as password-less users even if they are connected by non-physical  means such as SSH (hence bypassing PAM's nullok_secure configuration). This  notably affects environments such as virtual machines automatically  generated with a default blank root password, allowing all local users to  escalate privileges. (CVE-2017-20002)

Comment 1 Quality Assurance

2021-03-22 11:00:49 CET

--- mirror/ftp/4.3/unmaintained/4.3-0/source/shadow_4.4-4.1.dsc
+++ apt/ucs_4.4-0-errata4.4-7/source/shadow_4.4-4.1+deb9u1.dsc
@@ -1,3 +1,20 @@
+1:4.4-4.1+deb9u1 [Wed, 17 Mar 2021 10:27:01 +0100] Sylvain Beucler <beuc@debian.org>:
+
+  * Non-maintainer upload by the LTS Security Team.
+  * CVE-2017-20002: revert adding pts/0 and pts/1 to securetty.
+    Adding pts/* defeats the purpose of securetty. Let containers add it
+    if needed as described in #830255.
+    (cherry-picked from 1:4.5-1)
+    See also #877374 (previous proposed update) and #914957
+    (/etc/securetty will be dropped in bullseye).
+  * CVE-2017-12424: the newusers tool could be made to manipulate internal
+    data structures in ways unintended by the authors. Malformed input may
+    lead to crashes (with a buffer overflow or other memory corruption) or
+    other unspecified behaviors. This crosses a privilege boundary in, for
+    example, certain web-hosting environments in which a Control Panel
+    allows an unprivileged user account to create subaccounts.
+    (Closes: #756630)
+
 1:4.4-4.1 [Wed, 17 May 2017 13:59:59 +0200] Salvatore Bonaccorso <carnil@debian.org>:
 
   * Non-maintainer upload.

<http://piuparts.knut.univention.de/4.4-7/#8292891427075887129>

Comment 2 Erik Damrose

2021-03-23 19:06:36 CET

OK: yaml
OK: announce_errata
OK: patch
OK: piuparts

[4.4-7] 5f6b9dee13 Bug #52968: shadow 1:4.4-4.1+deb9u1
 doc/errata/staging/shadow.yaml | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

Comment 3 Erik Damrose

2021-03-24 15:59:01 CET

<https://errata.software-univention.de/#/?erratum=4.4x927>