[arch-security] [ASA-201507-19] libuser: multiple issues

[Levente Polyak]

Arch Linux Security Advisory ASA-201507-19
==========================================

Severity: Critical
Date    : 2015-07-24
CVE-ID  : CVE-2015-3245 CVE-2015-3246
Package : libuser
Type    : multiple issues
Remote  : No
Link    : https://wiki.archlinux.org/index.php/CVE

Summary
=======

The package libuser before version 0.62-1 is vulnerable to privilege
escalation and denial of service.

Resolution
==========

Upgrade to 0.62-1.

# pacman -Syu "libuser>=0.62-1"

The problems have been fixed upstream in version 0.62.

Workaround
==========

None.

Description
===========

- CVE-2015-3245 (denial of service)

It was found that libuser, as used by the chfn userhelper functionality,
did not properly filter out newline characters in GECOS fields. A local,
authenticated user could use this flaw to corrupt the /etc/passwd file,
resulting in a denial-of-service on the system.

- CVE-2015-3246 (privilege escalation)

A flaw was found in the way the libuser library handled the /etc/passwd
file. A local attacker could use an application compiled against libuser
(for example, userhelper) to manipulate the /etc/passwd file, which
could result in a denial of service or possibly allow the attacker to
escalate their privileges to root.

Impact
======

A local authenticated user is able to use an application compiled
against libuser to escalate privileges to root or perform a
denial-of-service attack on the system by corrupting the /etc/passwd file.

References
==========

http://seclists.org/oss-sec/2015/q3/185
https://access.redhat.com/security/cve/CVE-2015-3245
https://access.redhat.com/security/cve/CVE-2015-3246

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20150724/0824cc0e/attachment.asc>