Red Hat Customer Portal

Skip to main content

Security Advisory Updated util-linux package fixes password locking race

Advisory: RHSA-2002:132-19
Type: Security Advisory
Severity: N/A
Issued on: 2002-06-27
Last updated on: 2003-07-10
Affected Products: Red Hat Linux 6.2
Red Hat Linux 7.0
Red Hat Linux 7.1
Red Hat Linux 7.1 for iSeries
Red Hat Linux 7.1 for pSeries
Red Hat Linux 7.2
Red Hat Linux 7.3
CVEs (cve.mitre.org): CVE-2002-0638

Details

A locally exploitable vulnerability is present in the util-linux package
which shipped with Red Hat Linux.

[Updated 8 July 2003]
Added packages for Red Hat Linux on IBM iSeries and pSeries systems.

The util-linux package contains a large variety of low-level system
utilities that are necessary for a Linux system to function. The chfn
utility included in this package allows users to modify personal
information stored in the system-wide password file, /etc/passwd. In order
to modify this file, this application is installed setuid root.

Under certain conditions, a carefully crafted attack sequence can be
performed to exploit a complex file locking and modification race present
in this utility allowing changes to be made to /etc/passwd.

In order to successfully exploit the vulnerability and perform privilege
escalation there is a need for minimal administrator interaction.
Additionally, the password file must be over 4 kilobytes, and the local
attackers entry must not be in the last 4 kilobytes of the password file.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2002-0638 to this issue.

An interim workaround is to remove setuid flags from /usr/bin/chfn and
/usr/bin/chsh. All users of Red Hat Linux should update the packages
contained in this erratum, which are patched to correct this vulnerability.

Many thanks to Michal Zalewski of Bindview for alerting us to this issue.


Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade. Only those
RPMs which are currently installed will be updated. Those RPMs which are
not installed but included in the list will not be updated. Note that you
can also use wildcards (*.rpm) if your current directory *only* contains
the desired RPMs.

Please note that this update is also available via Red Hat Network. Many
people find this an easier way to apply updates. To use Red Hat Network,
launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.

Updated packages

Red Hat Linux 6.2

SRPMS:
ftp://updates.redhat.com/rhn/repository/NULL/util-linux/2.10f-7.6.2/SRPMS/util-linux-2.10f-7.6.2.src.rpm
Missing file
    MD5: 0af6265f350849394fc54ca7f006fd82
 
Alpha:
ftp://updates.redhat.com/rhn/repository/NULL/util-linux/2.10f-7.6.2/alpha/util-linux-2.10f-7.6.2.alpha.rpm
Missing file
    MD5: 4e30115e7fd311ac8496637c03716473
 
IA-32:
ftp://updates.redhat.com/rhn/repository/NULL/util-linux/2.10f-7.6.2/i386/util-linux-2.10f-7.6.2.i386.rpm
Missing file
    MD5: e1c0e740d41aaddc7817604ed449e872
 
Sparc:
ftp://updates.redhat.com/rhn/repository/NULL/util-linux/2.10f-7.6.2/sparc/util-linux-2.10f-7.6.2.sparc.rpm
Missing file
    MD5: fe28b4c80b9fe909c38f913b899ddb16
 
Red Hat Linux 7.0

SRPMS:
ftp://updates.redhat.com/rhn/repository/NULL/util-linux/2.10m-12.7.0/SRPMS/util-linux-2.10m-12.7.0.src.rpm
Missing file
    MD5: 4aa3502469cc8255aea825cebe82d4db
 
Alpha:
ftp://updates.redhat.com/rhn/repository/NULL/util-linux/2.10m-12.7.0/alpha/util-linux-2.10m-12.7.0.alpha.rpm
Missing file
    MD5: b2e1b30a837e440297acba35d13fab77
 
IA-32:
ftp://updates.redhat.com/rhn/repository/NULL/util-linux/2.10m-12.7.0/i386/util-linux-2.10m-12.7.0.i386.rpm
Missing file
    MD5: af9aca214e81e4f306d49ed398a79f22
 
Red Hat Linux 7.1

SRPMS:
ftp://updates.redhat.com/rhn/repository/NULL/util-linux/2.11f-17.7.2/SRPMS/util-linux-2.11f-17.7.2.src.rpm
Missing file
    MD5: dc87f0566da2f6a37443f9614cb1ff61
 
Alpha:
ftp://updates.redhat.com/rhn/repository/NULL/util-linux/2.11f-17.7.2/alpha/util-linux-2.11f-17.7.2.alpha.rpm
Missing file
    MD5: c3bc4100fdc6e4e7c4b524c16991f168
 
IA-32:
ftp://updates.redhat.com/rhn/repository/NULL/util-linux/2.11f-17.7.2/i386/util-linux-2.11f-17.7.2.i386.rpm
Missing file
    MD5: 668e4b28b07dcd9718744b2c59383bc2
 
IA-64:
ftp://updates.redhat.com/rhn/repository/NULL/util-linux/2.11f-17.7.2/ia64/util-linux-2.11f-17.7.2.ia64.rpm
Missing file
    MD5: 200e1661f445fca662f51d810f650448
 
Red Hat Linux 7.1 for iSeries

SRPMS:
ftp://updates.redhat.com/rhn/repository/NULL/util-linux/2.11f-17.7.2/SRPMS/util-linux-2.11f-17.7.2.src.rpm
Missing file
    MD5: dc87f0566da2f6a37443f9614cb1ff61
 
iSeries:
ftp://updates.redhat.com/rhn/repository/NULL/util-linux/2.11f-17.7.2/ppc/util-linux-2.11f-17.7.2.ppc.rpm
Missing file
    MD5: 39b2f33573da14946639e38f7dbccaec
 
Red Hat Linux 7.1 for pSeries

SRPMS:
ftp://updates.redhat.com/rhn/repository/NULL/util-linux/2.11f-17.7.2/SRPMS/util-linux-2.11f-17.7.2.src.rpm
Missing file
    MD5: dc87f0566da2f6a37443f9614cb1ff61
 
pSeries:
ftp://updates.redhat.com/rhn/repository/NULL/util-linux/2.11f-17.7.2/ppc/util-linux-2.11f-17.7.2.ppc.rpm
Missing file
    MD5: 39b2f33573da14946639e38f7dbccaec
 
Red Hat Linux 7.2

SRPMS:
ftp://updates.redhat.com/rhn/repository/NULL/util-linux/2.11f-17.7.2/SRPMS/util-linux-2.11f-17.7.2.src.rpm
Missing file
    MD5: dc87f0566da2f6a37443f9614cb1ff61
 
IA-32:
ftp://updates.redhat.com/rhn/repository/NULL/util-linux/2.11f-17.7.2/i386/util-linux-2.11f-17.7.2.i386.rpm
Missing file
    MD5: 668e4b28b07dcd9718744b2c59383bc2
 
IA-64:
ftp://updates.redhat.com/rhn/repository/NULL/util-linux/2.11f-17.7.2/ia64/util-linux-2.11f-17.7.2.ia64.rpm
Missing file
    MD5: 200e1661f445fca662f51d810f650448
 
Red Hat Linux 7.3

SRPMS:
ftp://updates.redhat.com/rhn/repository/NULL/util-linux/2.11n-12.7.3/SRPMS/util-linux-2.11n-12.7.3.src.rpm
Missing file
    MD5: 474988909a18c0f73a65de40bf946e92
 
IA-32:
ftp://updates.redhat.com/rhn/repository/NULL/losetup/2.11n-12.7.3/i386/losetup-2.11n-12.7.3.i386.rpm
Missing file
    MD5: b1b6d7852f75d1014204b7853f656427
ftp://updates.redhat.com/rhn/repository/NULL/mount/2.11n-12.7.3/i386/mount-2.11n-12.7.3.i386.rpm
Missing file
    MD5: 496ec0a9c0720ba5bed7baa917114aac
ftp://updates.redhat.com/rhn/repository/NULL/util-linux/2.11n-12.7.3/i386/util-linux-2.11n-12.7.3.i386.rpm
Missing file
    MD5: da8c81ee48c180694b89c9c99f543256
 

References


Keywords

locking, password, race, util-linux


These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/