A TOCTOU race has been discovered in Shadow, which could result in the unauthorized modification of files.
|Package||sys-apps/shadow on all architectures|
|Affected versions||< 4.12.2|
|Unaffected versions||>= 4.12.2|
Shadow contains utilities to deal with user accounts
A TOCTOU race condition was discovered in shadow. A local attacker with write privileges in a directory removed or copied by usermod/userdel could potentially exploit this flaw when the administrator invokes usermod/userdel.
An unauthorized user could potentially modify files which they do not have write permissions for.
There is no known workaround at this time.
All Shadow users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=sys-apps/shadow-4.12.2"
October 31, 2022
October 31, 2022: 1