Shadow: TOCTOU Race — GLSA 202210-26

A TOCTOU race has been discovered in Shadow, which could result in the unauthorized modification of files.

Affected packages

sys-apps/shadow on all architectures
Affected versions < 4.12.2
Unaffected versions >= 4.12.2

Background

Shadow contains utilities to deal with user accounts

Description

A TOCTOU race condition was discovered in shadow. A local attacker with write privileges in a directory removed or copied by usermod/userdel could potentially exploit this flaw when the administrator invokes usermod/userdel.

Impact

An unauthorized user could potentially modify files which they do not have write permissions for.

Workaround

There is no known workaround at this time.

Resolution

All Shadow users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=sys-apps/shadow-4.12.2"
 

References

Release date
October 31, 2022

Latest revision
October 31, 2022: 1

Severity
normal

Exploitable
remote

Bugzilla entries