Multiple Shadow utilities were installed with setuid permissions, allowing possible root privilege escalation.
|Package||sys-apps/shadow on all architectures|
|Affected versions||< 4.8-r3|
|Unaffected versions||>= 4.8-r3|
Shadow is a set of tools to deal with user accounts.
When Shadow was installed with the PAM use flag, setuid binaries provided by Shadow were not properly restricted.
A local attacker could escalate privileges to root.
There is no known workaround at this time.
All Shadow users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=sys-apps/shadow-4.8-r3"
August 25, 2020
August 25, 2020: 1