lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20110215222246.GG4000@outflux.net>
Date: Tue, 15 Feb 2011 14:22:46 -0800
From: Kees Cook <kees@...ntu.com>
To: ubuntu-security-announce@...ts.ubuntu.com
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: [USN-1065-1] shadow vulnerability

===========================================================
Ubuntu Security Notice USN-1065-1         February 15, 2011
shadow vulnerability
CVE-2011-0721
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 9.10
Ubuntu 10.04 LTS
Ubuntu 10.10

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 9.10:
  passwd                          1:4.1.4.1-1ubuntu2.2

Ubuntu 10.04 LTS:
  passwd                          1:4.1.4.2-1ubuntu2.2

Ubuntu 10.10:
  passwd                          1:4.1.4.2-1ubuntu3.2

In general, a standard system update will make all the necessary changes.

Details follow:

Kees Cook discovered that some shadow utilities did not correctly validate
user input. A local attacker could exploit this flaw to inject newlines into
the /etc/passwd file. If the system was configured to use NIS, this could
lead to existing NIS groups or users gaining or losing access to the system,
resulting in a denial of service or unauthorized access.


Updated packages for Ubuntu 9.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/s/shadow/shadow_4.1.4.1-1ubuntu2.2.diff.gz
      Size/MD5:    80909 51c66e9b503868bdedd54efe4928cfa3
    http://security.ubuntu.com/ubuntu/pool/main/s/shadow/shadow_4.1.4.1-1ubuntu2.2.dsc
      Size/MD5:     2349 aafbd5790c84b6d4c4ca8e26d5c22198
    http://security.ubuntu.com/ubuntu/pool/main/s/shadow/shadow_4.1.4.1.orig.tar.gz
      Size/MD5:  2781704 9f7882c359156aef377cbe9ffac9353e

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/s/shadow/login_4.1.4.1-1ubuntu2.2_amd64.deb
      Size/MD5:   320530 263ed41dfe971c3996b93b4497050089
    http://security.ubuntu.com/ubuntu/pool/main/s/shadow/passwd_4.1.4.1-1ubuntu2.2_amd64.deb
      Size/MD5:   954262 c01298f5056b5a917106e294ca1872b8

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/s/shadow/login_4.1.4.1-1ubuntu2.2_i386.deb
      Size/MD5:   311918 9e71b023fd5e25ce6c1e49d51debb33b
    http://security.ubuntu.com/ubuntu/pool/main/s/shadow/passwd_4.1.4.1-1ubuntu2.2_i386.deb
      Size/MD5:   875522 f0f66df1a33eeab27ced964bdd0e83b1

  armel architecture (ARM Architecture):

    http://ports.ubuntu.com/pool/main/s/shadow/login_4.1.4.1-1ubuntu2.2_armel.deb
      Size/MD5:   313518 c2c22045cd6e83fbd524251b348799d8
    http://ports.ubuntu.com/pool/main/s/shadow/passwd_4.1.4.1-1ubuntu2.2_armel.deb
      Size/MD5:   845826 eab58be5d011f6e9cdca11f3d3031ab5

  lpia architecture (Low Power Intel Architecture):

    http://ports.ubuntu.com/pool/main/s/shadow/login_4.1.4.1-1ubuntu2.2_lpia.deb
      Size/MD5:   310598 de603be6f2e72a4f3086e8d5851505be
    http://ports.ubuntu.com/pool/main/s/shadow/passwd_4.1.4.1-1ubuntu2.2_lpia.deb
      Size/MD5:   878912 ec0a4cfb27bc68adeca780e997b5d5aa

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://ports.ubuntu.com/pool/main/s/shadow/login_4.1.4.1-1ubuntu2.2_powerpc.deb
      Size/MD5:   316752 1b15b43bca6e7bd1454fafad22ea9aad
    http://ports.ubuntu.com/pool/main/s/shadow/passwd_4.1.4.1-1ubuntu2.2_powerpc.deb
      Size/MD5:   905518 6b5100df7648271fdb6427a75c08d8c4

  sparc architecture (Sun SPARC/UltraSPARC):

    http://ports.ubuntu.com/pool/main/s/shadow/login_4.1.4.1-1ubuntu2.2_sparc.deb
      Size/MD5:   315378 a9670dab758ba0cf07194c51b13f3648
    http://ports.ubuntu.com/pool/main/s/shadow/passwd_4.1.4.1-1ubuntu2.2_sparc.deb
      Size/MD5:   888354 e9dd9dd30efa1a744f824b0fa4cbc809

Updated packages for Ubuntu 10.04 LTS:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/s/shadow/shadow_4.1.4.2-1ubuntu2.2.diff.gz
      Size/MD5:    81829 877012c903d9fdcce5d77f017f2f0584
    http://security.ubuntu.com/ubuntu/pool/main/s/shadow/shadow_4.1.4.2-1ubuntu2.2.dsc
      Size/MD5:     2349 788910a4c21d47240c4540f597c3fd72
    http://security.ubuntu.com/ubuntu/pool/main/s/shadow/shadow_4.1.4.2.orig.tar.gz
      Size/MD5:  2814130 0d9a6f7b631f3f3673c263685a0a6ab3

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/s/shadow/login_4.1.4.2-1ubuntu2.2_amd64.deb
      Size/MD5:   323954 3c8b86ff34b431a45bfa0bf24478142f
    http://security.ubuntu.com/ubuntu/pool/main/s/shadow/passwd_4.1.4.2-1ubuntu2.2_amd64.deb
      Size/MD5:   953290 60cd08b5dde3b45130d6828e9c6db01d

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/s/shadow/login_4.1.4.2-1ubuntu2.2_i386.deb
      Size/MD5:   316222 4b6a57b7eeacf397636968ea58281df2
    http://security.ubuntu.com/ubuntu/pool/main/s/shadow/passwd_4.1.4.2-1ubuntu2.2_i386.deb
      Size/MD5:   880966 7332752fb2e57abc7132417ed1ad06f8

  armel architecture (ARM Architecture):

    http://ports.ubuntu.com/pool/main/s/shadow/login_4.1.4.2-1ubuntu2.2_armel.deb
      Size/MD5:   312008 8484b8f77c40cda30024411f03ca4f6e
    http://ports.ubuntu.com/pool/main/s/shadow/passwd_4.1.4.2-1ubuntu2.2_armel.deb
      Size/MD5:   829560 9f8db25cb484127c429a9674fdabbb10

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://ports.ubuntu.com/pool/main/s/shadow/login_4.1.4.2-1ubuntu2.2_powerpc.deb
      Size/MD5:   321074 bc4e6014a69cb9ffddc65848e5212fb5
    http://ports.ubuntu.com/pool/main/s/shadow/passwd_4.1.4.2-1ubuntu2.2_powerpc.deb
      Size/MD5:   911044 0b8e35f307352f016cdb4631ab784ad8

  sparc architecture (Sun SPARC/UltraSPARC):

    http://ports.ubuntu.com/pool/main/s/shadow/login_4.1.4.2-1ubuntu2.2_sparc.deb
      Size/MD5:   320850 3e556c22497e3bf24c6e564cbc3a3584
    http://ports.ubuntu.com/pool/main/s/shadow/passwd_4.1.4.2-1ubuntu2.2_sparc.deb
      Size/MD5:   905208 3509d3258ea5cd7ff039b40395a8984b

Updated packages for Ubuntu 10.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/s/shadow/shadow_4.1.4.2-1ubuntu3.2.diff.gz
      Size/MD5:    83284 485ba5d567bcbb68a685dd8f9f40eaac
    http://security.ubuntu.com/ubuntu/pool/main/s/shadow/shadow_4.1.4.2-1ubuntu3.2.dsc
      Size/MD5:     2349 a177312225cbe835e8254594f4111d07
    http://security.ubuntu.com/ubuntu/pool/main/s/shadow/shadow_4.1.4.2.orig.tar.gz
      Size/MD5:  2814130 0d9a6f7b631f3f3673c263685a0a6ab3

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/s/shadow/login_4.1.4.2-1ubuntu3.2_amd64.deb
      Size/MD5:   323220 24e39284c75d8bc4843fe1b50fd4af8f
    http://security.ubuntu.com/ubuntu/pool/main/s/shadow/passwd_4.1.4.2-1ubuntu3.2_amd64.deb
      Size/MD5:   947490 23d90978d09f4eb69da19f0d69e01ec0

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/s/shadow/login_4.1.4.2-1ubuntu3.2_i386.deb
      Size/MD5:   315420 4248e3f5a3c8907827638495aa297f4c
    http://security.ubuntu.com/ubuntu/pool/main/s/shadow/passwd_4.1.4.2-1ubuntu3.2_i386.deb
      Size/MD5:   874946 458018527de7ce63d32d64df46642c2e

  armel architecture (ARM Architecture):

    http://ports.ubuntu.com/pool/main/s/shadow/login_4.1.4.2-1ubuntu3.2_armel.deb
      Size/MD5:   315662 8893fec2e8edcc2d8bdfe561c2b45668
    http://ports.ubuntu.com/pool/main/s/shadow/passwd_4.1.4.2-1ubuntu3.2_armel.deb
      Size/MD5:   814020 b07e09efc999c9740e173fbd13a1b7ed

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://ports.ubuntu.com/pool/main/s/shadow/login_4.1.4.2-1ubuntu3.2_powerpc.deb
      Size/MD5:   320144 f42ca08e0edfe785e497212e15fc1fce
    http://ports.ubuntu.com/pool/main/s/shadow/passwd_4.1.4.2-1ubuntu3.2_powerpc.deb
      Size/MD5:   904472 718775b17b340c8489f12945edb40ddb


Download attachment "signature.asc" of type "application/pgp-signature" (875 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ