Shadow: Privilege escalation — GLSA 200903-24

An insecure temporary file usage in Shadow may allow local users to gain root privileges.

Affected packages

sys-apps/shadow on all architectures
Affected versions < 4.1.2.2
Unaffected versions >= 4.1.2.2

Background

Shadow is a set of tools to deal with user accounts.

Description

Paul Szabo reported a race condition in the "login" executable when setting up tty permissions.

Impact

A local attacker belonging to the "utmp" group could use symlink attacks to overwrite arbitrary files and possibly gain root privileges.

Workaround

There is no known workaround at this time.

Resolution

All Shadow users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=sys-apps/shadow-4.1.2.2"

References

Release date
March 10, 2009

Latest revision
March 10, 2009: 01

Severity
high

Exploitable
local

Bugzilla entries