[ASA-201912-4] shadow: privilege escalation
Levente Polyak
anthraxx at archlinux.org
Wed Dec 18 21:30:10 UTC 2019
Arch Linux Security Advisory ASA-201912-4
=========================================
Severity: High
Date : 2019-12-18
CVE-ID : CVE-2019-19882
Package : shadow
Type : privilege escalation
Remote : No
Link : https://security.archlinux.org/AVG-1079
Summary
=======
The package shadow before version 4.8-1 is vulnerable to privilege
escalation.
Resolution
==========
Upgrade to 4.8-1.
# pacman -Syu "shadow>=4.8-1"
The problem has been fixed upstream in version 4.8.
Workaround
==========
None.
Description
===========
shadow 4.8, in certain circumstances affecting at least Gentoo, Arch
Linux, and Void Linux, allows local users to obtain root access because
setuid programs are misconfigured. Specifically, this affects shadow
4.8 when compiled using --with-libpam but without explicitly passing
--disable-account-tools-setuid, and without a PAM configuration
suitable for use with setuid account management tools. This combination
leads to account management tools (groupadd, groupdel, groupmod,
useradd, userdel, usermod) that can easily be used by unprivileged
local users to escalate privileges to root in multiple ways. This issue
became much more relevant in approximately December 2019 when an
unrelated bug was fixed (i.e., the chmod calls to suidusbins were fixed
in the upstream Makefile which is now included in the release version
4.8).
Impact
======
A local authenticated user can escalate privileges by using setuid
binaries.
References
==========
https://bugs.archlinux.org/task/64836
https://bugs.gentoo.org/702252
https://github.com/shadow-maint/shadow/commit/edf7547ad5aa650be868cf2dac58944773c12d75
https://github.com/shadow-maint/shadow/pull/199
https://github.com/void-linux/void-packages/pull/17580
https://security.archlinux.org/CVE-2019-19882
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20191218/5e3bc7a8/attachment.sig>
More information about the arch-security
mailing list