Skip to navigation

Security Advisory Low: shadow-utils security and bug fix update

Advisory: RHSA-2007:0276-3
Type: Security Advisory
Severity: Low
Issued on: 2007-05-01
Last updated on: 2007-05-01
Affected Products: Red Hat Desktop (v. 4)
Red Hat Enterprise Linux AS (v. 4)
Red Hat Enterprise Linux ES (v. 4)
Red Hat Enterprise Linux WS (v. 4)
CVEs (cve.mitre.org): CVE-2006-1174

Details

Updated shadow-utils packages that fix a security issue and various bugs
are now available.

This update has been rated as having low security impact by the Red Hat
Security Response Team.

The shadow-utils package includes the necessary programs for converting
UNIX password files to the shadow password format, as well as programs for
managing user and group accounts.

A flaw was found in the useradd tool in shadow-utils. A new user's
mailbox, when created, could have random permissions for a short period.
This could allow a local attacker to read or modify the mailbox.
(CVE-2006-1174)

This update also fixes the following bugs:

* shadow-utils debuginfo package was empty.

* faillog was unusable on 64-bit systems. It checked every UID from 0 to
the max UID, which was an excessively large number on 64-bit systems.

* typo bug in login.defs file

All users of shadow-utils are advised to upgrade to these updated packages,
which contain backported patches to resolve these issues.


Solution

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied. Use Red Hat
Network to download and update your packages. To launch the Red Hat
Update Agent, use the following command:

up2date

For information on how to install packages manually, refer to the
following Web page for the System Administration or Customization
guide specific to your system:

http://www.redhat.com/docs/manuals/enterprise/

Updated packages

Red Hat Desktop (v. 4)

SRPMS:
shadow-utils-4.0.3-61.RHEL4.src.rpm
File outdated by:  RHBA-2010:0669
    MD5: 27a806cdce6ee1e07c7178b0f97e61f8
 
IA-32:
shadow-utils-4.0.3-61.RHEL4.i386.rpm
File outdated by:  RHBA-2010:0669
    MD5: 97eb50ec2a451168eebbbfa7e2278bad
 
x86_64:
shadow-utils-4.0.3-61.RHEL4.x86_64.rpm
File outdated by:  RHBA-2010:0669
    MD5: 8aaf79b408d0fd299809882843b7f3a1
 
Red Hat Enterprise Linux AS (v. 4)

SRPMS:
shadow-utils-4.0.3-61.RHEL4.src.rpm
File outdated by:  RHBA-2010:0669
    MD5: 27a806cdce6ee1e07c7178b0f97e61f8
 
IA-32:
shadow-utils-4.0.3-61.RHEL4.i386.rpm
File outdated by:  RHBA-2010:0669
    MD5: 97eb50ec2a451168eebbbfa7e2278bad
 
IA-64:
shadow-utils-4.0.3-61.RHEL4.ia64.rpm
File outdated by:  RHBA-2010:0669
    MD5: 50e10226650a72262916f9af8a0809a1
 
PPC:
shadow-utils-4.0.3-61.RHEL4.ppc.rpm
File outdated by:  RHBA-2010:0669
    MD5: 9db2a7e51c1d50c7afa7143769267127
 
s390:
shadow-utils-4.0.3-61.RHEL4.s390.rpm
File outdated by:  RHBA-2010:0669
    MD5: 581e4671e28971d933f86b22f00b3d81
 
s390x:
shadow-utils-4.0.3-61.RHEL4.s390x.rpm
File outdated by:  RHBA-2010:0669
    MD5: 20a2d814d215e9baf4157508cb4f2d23
 
x86_64:
shadow-utils-4.0.3-61.RHEL4.x86_64.rpm
File outdated by:  RHBA-2010:0669
    MD5: 8aaf79b408d0fd299809882843b7f3a1
 
Red Hat Enterprise Linux ES (v. 4)

SRPMS:
shadow-utils-4.0.3-61.RHEL4.src.rpm
File outdated by:  RHBA-2010:0669
    MD5: 27a806cdce6ee1e07c7178b0f97e61f8
 
IA-32:
shadow-utils-4.0.3-61.RHEL4.i386.rpm
File outdated by:  RHBA-2010:0669
    MD5: 97eb50ec2a451168eebbbfa7e2278bad
 
IA-64:
shadow-utils-4.0.3-61.RHEL4.ia64.rpm
File outdated by:  RHBA-2010:0669
    MD5: 50e10226650a72262916f9af8a0809a1
 
x86_64:
shadow-utils-4.0.3-61.RHEL4.x86_64.rpm
File outdated by:  RHBA-2010:0669
    MD5: 8aaf79b408d0fd299809882843b7f3a1
 
Red Hat Enterprise Linux WS (v. 4)

SRPMS:
shadow-utils-4.0.3-61.RHEL4.src.rpm
File outdated by:  RHBA-2010:0669
    MD5: 27a806cdce6ee1e07c7178b0f97e61f8
 
IA-32:
shadow-utils-4.0.3-61.RHEL4.i386.rpm
File outdated by:  RHBA-2010:0669
    MD5: 97eb50ec2a451168eebbbfa7e2278bad
 
IA-64:
shadow-utils-4.0.3-61.RHEL4.ia64.rpm
File outdated by:  RHBA-2010:0669
    MD5: 50e10226650a72262916f9af8a0809a1
 
x86_64:
shadow-utils-4.0.3-61.RHEL4.x86_64.rpm
File outdated by:  RHBA-2010:0669
    MD5: 8aaf79b408d0fd299809882843b7f3a1
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

176951 - shadow-utils-debuginfo is empty
177017 - faillog doesn't handle large UIDs well
188263 - typo in /etc/login.defs
193053 - CVE-2006-1174 shadow-utils mailbox creation race condition


References


Keywords

condition, mailbox, race


These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/