A TOCTOU race has been discovered in Shadow, which could result in the unauthorized modification of files.
Package | sys-apps/shadow on all architectures |
---|---|
Affected versions | < 4.12.2 |
Unaffected versions | >= 4.12.2 |
Shadow contains utilities to deal with user accounts
A TOCTOU race condition was discovered in shadow. A local attacker with write privileges in a directory removed or copied by usermod/userdel could potentially exploit this flaw when the administrator invokes usermod/userdel.
An unauthorized user could potentially modify files which they do not have write permissions for.
There is no known workaround at this time.
All Shadow users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=sys-apps/shadow-4.12.2"
Release date
October 31, 2022
Latest revision
October 31, 2022: 1
Severity
normal
Exploitable
remote
Bugzilla entries