USN-695-1: shadow vulnerability

12-17-2008

Registered User

26,240, 27

Join Date: Sep 2000

Last Activity: 1 August 2008, 3:09 PM EDT

Posts: 26,240

Thanks Given: 0

Thanked 27 Times in 26 Posts

USN-695-1: shadow vulnerability

Description:
=========================================================== Ubuntu Security Notice USN-695-1 December 18, 2008 shadow vulnerability https://launchpad.net/bugs/306082 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS Ubuntu 7.10 Ubuntu 8.04 LTS Ubuntu 8.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: login 1:4.0.13-7ubuntu3.4 Ubuntu 7.10: login 1:4.0.18.1-9ubuntu0.2 Ubuntu 8.04 LTS: login 1:4.0.18.2-1ubuntu2.2 Ubuntu 8.10: login 1:4.1.1-1ubuntu1.2 In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: Paul Szabo discovered a race condition in login. While setting up tty permissions, login did not correctly handle symlinks. If a local attacker were able to gain control of the system utmp file, they could cause login to change the ownership and permissions on arbitrary files, leading to a root privilege escalation.

More...

Linux Bot

View Public Profile for Linux Bot

Find all posts by Linux Bot

pwconv(1M) System Administration Commands pwconv(1M) NAME
pwconv - installs and updates /etc/shadow with information from /etc/passwd SYNOPSIS
pwconv DESCRIPTION
The pwconv command creates and updates /etc/shadow with information from /etc/passwd. pwconv relies on a special value of 'x' in the password field of /etc/passwd. This value of 'x' indicates that the password for the user is already in /etc/shadow and should not be modified. If the /etc/shadow file does not exist, this command will create /etc/shadow with information from /etc/passwd. The command populates /etc/shadow with the user's login name, password, and password aging information. If password aging information does not exist in /etc/passwd for a given user, none will be added to /etc/shadow. However, the last changed information will always be updated. If the /etc/shadow file does exist, the following tasks will be performed: Entries that are in the /etc/passwd file and not in the /etc/shadow file will be added to the /etc/shadow file. Entries that are in the /etc/shadow file and not in the /etc/passwd file will be removed from /etc/shadow. Password attributes (for example, password and aging information) that exist in an /etc/passwd entry will be moved to the corre- sponding entry in /etc/shadow. The pwconv command can only be used by the super-user. FILES
/etc/opasswd /etc/oshadow /etc/passwd /etc/shadow ATTRIBUTES
See attributes(5) for descriptions of the following attributes: +-----------------------------+-----------------------------+ | ATTRIBUTE TYPE | ATTRIBUTE VALUE | +-----------------------------+-----------------------------+ |Availability |SUNWcsu | +-----------------------------+-----------------------------+ SEE ALSO
passwd(1), passmgmt(1M), usermod(1M), passwd(4), attributes(5) DIAGNOSTICS
pwconv exits with one of the following values: 0 SUCCESS. 1 Permission denied. 2 Invalid command syntax. 3 Unexpected failure. Conversion not done. 4 Unexpected failure. Password file(s) missing. 5 Password file(s) busy. Try again later. 6 Bad entry in /etc/shadow file. SunOS 5.10 9 Mar 1993 pwconv(1M)

Security Advisories (RSS)

USN-695-1: shadow vulnerability

LEARN ABOUT MINIX

pwconv