Shadow: security bypass — GLSA 201805-09

A vulnerability found in Shadow may allow local attackers to bypass security restrictions.

Affected packages

sys-apps/shadow on all architectures
Affected versions < 4.6
Unaffected versions >= 4.6

Background

Shadow is a set of tools to deal with user accounts.

Description

A local attacker could possibly bypass security restrictions if an administrator used “group blacklisting” to restrict access to file system paths.

Impact

A local attacker could possibly bypass security restrictions.

Workaround

There is no known workaround at this time.

Resolution

All shadow users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=sys-apps/shadow-4.6"
 

References

Release date
May 22, 2018

Latest revision
May 22, 2018: 1

Severity
normal

Exploitable
remote

Bugzilla entries