- Issued:
- 2007-05-01
- Updated:
- 2007-05-01
RHSA-2007:0276 - Security Advisory
Synopsis
Low: shadow-utils security and bug fix update
Type/Severity
Security Advisory: Low
Red Hat Insights patch analysis
Identify and remediate systems affected by this advisory.
Topic
Updated shadow-utils packages that fix a security issue and various bugs
are now available.
This update has been rated as having low security impact by the Red Hat
Security Response Team.
Description
The shadow-utils package includes the necessary programs for converting
UNIX password files to the shadow password format, as well as programs for
managing user and group accounts.
A flaw was found in the useradd tool in shadow-utils. A new user's
mailbox, when created, could have random permissions for a short period.
This could allow a local attacker to read or modify the mailbox.
(CVE-2006-1174)
This update also fixes the following bugs:
- shadow-utils debuginfo package was empty.
- faillog was unusable on 64-bit systems. It checked every UID from 0 to
the max UID, which was an excessively large number on 64-bit systems.
- typo bug in login.defs file
All users of shadow-utils are advised to upgrade to these updated packages,
which contain backported patches to resolve these issues.
Solution
Before applying this update, make sure that all previously-released
errata relevant to your system have been applied. Use Red Hat
Network to download and update your packages. To launch the Red Hat
Update Agent, use the following command:
up2date
For information on how to install packages manually, refer to the
following Web page for the System Administration or Customization
guide specific to your system:
Affected Products
- Red Hat Enterprise Linux Server 4 x86_64
- Red Hat Enterprise Linux Server 4 ia64
- Red Hat Enterprise Linux Server 4 i386
- Red Hat Enterprise Linux Workstation 4 x86_64
- Red Hat Enterprise Linux Workstation 4 ia64
- Red Hat Enterprise Linux Workstation 4 i386
- Red Hat Enterprise Linux Desktop 4 x86_64
- Red Hat Enterprise Linux Desktop 4 i386
- Red Hat Enterprise Linux for IBM z Systems 4 s390x
- Red Hat Enterprise Linux for IBM z Systems 4 s390
- Red Hat Enterprise Linux for Power, big endian 4 ppc
Fixes
- BZ - 176951 - shadow-utils-debuginfo is empty
- BZ - 177017 - faillog doesn't handle large UIDs well
- BZ - 188263 - typo in /etc/login.defs
- BZ - 193053 - CVE-2006-1174 shadow-utils mailbox creation race condition
CVEs
Red Hat Enterprise Linux Server 4
| SRPM | |
|---|---|
| shadow-utils-4.0.3-61.RHEL4.src.rpm | SHA-256: 04bed3f86c39f29aa2e1c864ba11ee17823d4db3f78b1a3baf8b2e93cebc95bb |
| x86_64 | |
| shadow-utils-4.0.3-61.RHEL4.x86_64.rpm | SHA-256: 67c66393d49a2b1f1456eaa013cd5d201702ccf587f7d501ad2bcc2e27b83bbb |
| shadow-utils-4.0.3-61.RHEL4.x86_64.rpm | SHA-256: 67c66393d49a2b1f1456eaa013cd5d201702ccf587f7d501ad2bcc2e27b83bbb |
| ia64 | |
| shadow-utils-4.0.3-61.RHEL4.ia64.rpm | SHA-256: 1cba59779c7c5355a713d079c9f9f50d4cc39d78cb41f178ba41845b92250d53 |
| shadow-utils-4.0.3-61.RHEL4.ia64.rpm | SHA-256: 1cba59779c7c5355a713d079c9f9f50d4cc39d78cb41f178ba41845b92250d53 |
| i386 | |
| shadow-utils-4.0.3-61.RHEL4.i386.rpm | SHA-256: 4c59fc520cce1b18f96fdeabca6f244680aee28fa282d50b23e16ce365e5f17f |
| shadow-utils-4.0.3-61.RHEL4.i386.rpm | SHA-256: 4c59fc520cce1b18f96fdeabca6f244680aee28fa282d50b23e16ce365e5f17f |
Red Hat Enterprise Linux Workstation 4
| SRPM | |
|---|---|
| shadow-utils-4.0.3-61.RHEL4.src.rpm | SHA-256: 04bed3f86c39f29aa2e1c864ba11ee17823d4db3f78b1a3baf8b2e93cebc95bb |
| x86_64 | |
| shadow-utils-4.0.3-61.RHEL4.x86_64.rpm | SHA-256: 67c66393d49a2b1f1456eaa013cd5d201702ccf587f7d501ad2bcc2e27b83bbb |
| ia64 | |
| shadow-utils-4.0.3-61.RHEL4.ia64.rpm | SHA-256: 1cba59779c7c5355a713d079c9f9f50d4cc39d78cb41f178ba41845b92250d53 |
| i386 | |
| shadow-utils-4.0.3-61.RHEL4.i386.rpm | SHA-256: 4c59fc520cce1b18f96fdeabca6f244680aee28fa282d50b23e16ce365e5f17f |
Red Hat Enterprise Linux Desktop 4
| SRPM | |
|---|---|
| shadow-utils-4.0.3-61.RHEL4.src.rpm | SHA-256: 04bed3f86c39f29aa2e1c864ba11ee17823d4db3f78b1a3baf8b2e93cebc95bb |
| x86_64 | |
| shadow-utils-4.0.3-61.RHEL4.x86_64.rpm | SHA-256: 67c66393d49a2b1f1456eaa013cd5d201702ccf587f7d501ad2bcc2e27b83bbb |
| i386 | |
| shadow-utils-4.0.3-61.RHEL4.i386.rpm | SHA-256: 4c59fc520cce1b18f96fdeabca6f244680aee28fa282d50b23e16ce365e5f17f |
Red Hat Enterprise Linux for IBM z Systems 4
| SRPM | |
|---|---|
| shadow-utils-4.0.3-61.RHEL4.src.rpm | SHA-256: 04bed3f86c39f29aa2e1c864ba11ee17823d4db3f78b1a3baf8b2e93cebc95bb |
| s390x | |
| shadow-utils-4.0.3-61.RHEL4.s390x.rpm | SHA-256: 8a46a7af4daf53384e134e8a12b7b3085a722586ea30370049891fcf84238d98 |
| s390 | |
| shadow-utils-4.0.3-61.RHEL4.s390.rpm | SHA-256: c76d633c0b82743f2bb18c525add8dab6f5c99888a5211b200c458fe079e00bc |
Red Hat Enterprise Linux for Power, big endian 4
| SRPM | |
|---|---|
| shadow-utils-4.0.3-61.RHEL4.src.rpm | SHA-256: 04bed3f86c39f29aa2e1c864ba11ee17823d4db3f78b1a3baf8b2e93cebc95bb |
| ppc | |
| shadow-utils-4.0.3-61.RHEL4.ppc.rpm | SHA-256: 2de441c2c1843c7c4ce189fc04d4fabeff925bc6aea369bd18cf1f66c219e530 |
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.
