Login or Register to Ask a Question and Join Our Community


Security Advisories (RSS)

USN-695-1: shadow vulnerability

Login to Discuss or Reply to this Discussion in Our Community

 
Thread Tools Search this Thread
Special Forums Cybersecurity Security Advisories (RSS) USN-695-1: shadow vulnerability
# 1  
Old 12-17-2008
USN-695-1: shadow vulnerability
Description:
=========================================================== Ubuntu Security Notice USN-695-1 December 18, 2008 shadow vulnerability https://launchpad.net/bugs/306082 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS Ubuntu 7.10 Ubuntu 8.04 LTS Ubuntu 8.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: login 1:4.0.13-7ubuntu3.4 Ubuntu 7.10: login 1:4.0.18.1-9ubuntu0.2 Ubuntu 8.04 LTS: login 1:4.0.18.2-1ubuntu2.2 Ubuntu 8.10: login 1:4.1.1-1ubuntu1.2 In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: Paul Szabo discovered a race condition in login. While setting up tty permissions, login did not correctly handle symlinks. If a local attacker were able to gain control of the system utmp file, they could cause login to change the ownership and permissions on arbitrary files, leading to a root privilege escalation.





More...
Login or Register to Ask a Question

Previous Thread | Next Thread
Login or Register to Ask a Question

LEARN ABOUT SUSE

pwconv

pwconv(8)						      System Manager's Manual							 pwconv(8)

NAME

       pwconv - convert to shadow account

SYNOPSIS

       pwconv [-P path]

DESCRIPTION

       pwconv  installs  and updates /etc/shadow with information from /etc/passwd. It relies on the special password 'x' in the password field of
       the account. This value indicates that the password for the user is already in /etc/shadow and should not be modified.

       If /etc/shadow does not exist, pwconv creates this file, moves the user password to it and creates default aging informations with the help
       of  the	values	of PASS_MIN_DAYS, PASS_MAX_DAYS and PASS_WARN_AGE from /etc/login.defs. The password field in /etc/passwd is replaced with
       the special character 'x'.

       If the /etc/shadow does exist, entries that are in the /etc/passwd file and not in the /etc/shadow file are added to the /etc/shadow  file.
       Accounts,  which  only  exist  in /etc/passwd, are added to /etc/shadow. Entries that are in /etc/shadow and not in /etc/passwd are removed
       from /etc/shadow. All passwords from /etc/passwd are moved to /etc/shadow and replaced with the special character 'x'.

       pwconv can be used for initial conversion and for updates later.

OPTIONS

       -P, --path path
	      The passwd and shadow files are located below the specified directory  path.  pwconv  will  use  this  files,  not  /etc/passwd  and
	      /etc/shadow.

FILES

       passwd - user account information
       shadow - shadow user account information

SEE ALSO

       passwd(1), login.defs(5), passwd(5), shadow(5), pwck(8), pwunconv(8)

AUTHOR

       Thorsten Kukuk <kukuk@suse.de>

pwdutils							   January 2004 							 pwconv(8)