Hello,
On Sat, Jul 22, 2006 at 12:59:59AM +0200, Henry Jensen wrote:
>
> I just checked the source. From there it seems that the Debian passwd
> is affected by CVE-2006-3378 (USN-308-1 in Ubuntu), too.
Here is a patch for this issue (taken from the ubuntu package).
Its changelog could be:
* SECURITY UPDATE: CVE-2006-3378: Root privilege escalation.
* src/passwd.c:
- Check for failing setuid() (which can happen if user hits PAM
limits). Before, passwd continued to run as root and executed
chfn/chsh/gpasswd as root instead of as the user.
- Thanks to Sune Kloppenborg Jeppesen for pointing this out.
Please note also that (because of #356939) there are other shadow packages
being processed (which do not fix this vulnerability):
1:4.0.3-31sarge6 (in the security queue) and 1:4.0.3-31sarge7 (in the
proposed-update queue)
Security team, what should we do?
* Ask the FTP masters to drop the current 1:4.0.3-31sarge6 and
1:4.0.3-31sarge7 and upload a new 1:4.0.3-31sarge6 (with only this
security fix?, with both?)
* Upload a new 1:4.0.3-31sarge8 (where? with only this security fix?,
with both?)
Thanks in advance,
--
Nekral
Index: src/passwd.c
===================================================================
--- src/passwd.c (révision 1053)
+++ src/passwd.c (copie de travail)
@@ -958,7 +958,13 @@
if (argc > 1 && argv[1][0] == '-' && strchr ("gfs", argv[1][1])) {
char buf[200];
- setuid (getuid ());
+ uid_t uid = getuid();
+ setuid (uid);
+ if (getuid() != uid) {
+ perror("cannot set user id");
+ SYSLOG ((LOG_ERR, "setuid to %i failed", uid));
+ exit(E_FAILURE);
+ }
switch (argv[1][1]) {
case 'g':
argv[1] = GPASSWD_PROGRAM; /* XXX warning: const */
