Security
SHARE
Facebook X Pinterest WhatsApp

SuSE Linux Advisory: shadow/pam-modules

Written By
thumbnail
Web Webster
Web Webster
May 17, 2002 
____________________________________________________________________________

                        SuSE Security Announcement

        Package:                shadow/pam-modules
        Announcement-ID:        SuSE-SA:2002:017
        Date:                   Thu May 16 12:00:00 MEST 2002
        Affected products:      8.0
        Vulnerability Type:     local privilege escalation
        Severity (1-10):        5
        SuSE default package:   yes
        Other affected systems: No.

    Content of this advisory:
        1) security vulnerability resolved: write() disruption in shadow utils
           problem description, discussion, solution and upgrade information
        2) pending vulnerabilities, solutions, workarounds
        3) standard appendix (further information)

____________________________________________________________________________

1)  problem description, brief discussion, solution, upgrade information

    The shadow package contains several useful programs to maintain the
    entries in the /etc/passwd and /etc/shadow files.
        The SuSE Security Team discovered a vulnerability that allows local
    attackers to destroy the contents of these files or to extend the group
    privileges of certain users. This is possible by setting evil filesize
    limits before invoking one of the programs modifying the system files.
    Depening on the permissions of the system binaries this allows a local
    attacker to gain root privileges in the worst case. This however is not
    possible in a default installation.
        The bug has been fixed by ensuring the integrity of the data written
    to temporary files before moving them to the appropriate location of the
    system. There is no workaround so we recommend an update in any case.
    It is necessary to update the shadow package as well as the pam-modules
    package in order to prevent the truncation attacks.

    Please download the update package for your distribution and verify its
    integrity by the methods listed in section 3) of this announcement.
    Then, install the package using the command "rpm -Fhv file.rpm" to apply
    the update.
    Our maintenance customers are being notified individually. The packages
    are being offered to install from the maintenance web.


    i386 Intel Platform:

    SuSE-8.0
    ftp://ftp.suse.com/pub/suse/i386/update/8.0/a1/shadow-4.0.2-88.i386.rpm
      a4e0d03ecf7707eb7ca1f0422cae89f1
    ftp://ftp.suse.com/pub/suse/i386/update/8.0/a1/pam-modules-2002.3.9-31.i386.rpm
      70322584f014ac3e2dc2dad0beecdefb

    source rpm:
    ftp://ftp.suse.com/pub/suse/i386/update/8.0/zq1/shadow-4.0.2-88.src.rpm
      33af2433d9a8822202e9f6ebdc6d3e2c
    ftp://ftp.suse.com/pub/suse/i386/update/8.0/zq1/pam-modules-2002.3.9-31.src.rpm
      1bc5bbd169ffe5c35caa0a4ce681dcc0

____________________________________________________________________________

2)  Pending vulnerabilities in SuSE Distributions and Workarounds:

    - leafnode
    The permissions of "/etc/leafnode" have been corrected. Please update
    to the newly available packages if you use leafnode.

    - xf86, xmodules, xloader
    Incorrect permission checks in certain X11 functions allow local attackers
    to read or write shared memory segments they should not have access to.
    Corrected packages will soon be available on our ftp-servers.

____________________________________________________________________________

3)  standard appendix: authenticity verification, additional information

  - Package authenticity verification:

    SuSE update packages are available on many mirror ftp servers all over
    the world. While this service is being considered valuable and important
    to the free and open source software community, many users wish to be
    sure about the origin of the package and its content before installing
    the package. There are two verification methods that can be used
    independently from each other to prove the authenticity of a downloaded
    file or rpm package:
    1) md5sums as provided in the (cryptographically signed) announcement.
    2) using the internal gpg signatures of the rpm package.

    1) execute the command
        md5sum <name-of-the-file.rpm>
       after you downloaded the file from a SuSE ftp server or its mirrors.
       Then, compare the resulting md5sum with the one that is listed in the
       announcement. Since the announcement containing the checksums is
       cryptographically signed (usually using the key security@suse.de),
       the checksums show proof of the authenticity of the package.
       We disrecommend to subscribe to security lists which cause the
       email message containing the announcement to be modified so that
       the signature does not match after transport through the mailing
       list software.
       Downsides: You must be able to verify the authenticity of the
       announcement in the first place. If RPM packages are being rebuilt
       and a new version of a package is published on the ftp server, all
       md5 sums for the files are useless.

    2) rpm package signatures provide an easy way to verify the authenticity
       of an rpm package. Use the command
        rpm -v --checksig <file.rpm>
       to verify the signature of the package, where <file.rpm> is the
       filename of the rpm package that you have downloaded. Of course,
       package authenticity verification can only target an uninstalled rpm
       package file.
       Prerequisites:
        a) gpg is installed
        b) The package is signed using a certain key. The public part of this
           key must be installed by the gpg program in the directory
           ~/.gnupg/ under the user's home directory who performs the
           signature verification (usually root). You can import the key
           that is used by SuSE in rpm packages for SuSE Linux by saving
           this announcement to a file ("announcement.txt") and
           running the command (do "su -" to be root):
            gpg --batch; gpg < announcement.txt | gpg --import
           SuSE Linux distributions version 7.1 and thereafter install the
           key "build@suse.de" upon installation or upgrade, provided that
           the package gpg is installed. The file containing the public key
           is placed at the toplevel directory of the first CD (pubring.gpg)
           and at ftp://ftp.suse.com/pub/suse/pubring.gpg-build.suse.de .


  - SuSE runs two security mailing lists to which any interested party may
    subscribe:

    suse-security@suse.com
        -   general/linux/SuSE security discussion.
            All SuSE security announcements are sent to this list.
            To subscribe, send an email to
                <suse-security-subscribe@suse.com>.

    suse-security-announce@suse.com
        -   SuSE's announce-only mailing list.
            Only SuSE's security annoucements are sent to this list.
            To subscribe, send an email to
                <suse-security-announce-subscribe@suse.com>.

    For general information or the frequently asked questions (faq)
    send mail to:
        <suse-security-info@suse.com> or
        <suse-security-faq@suse.com> respectively.

    =====================================================================
    SuSE's security contact is <security@suse.com> or <security@suse.de>.
    The <security@suse.de> public key is listed below.
    =====================================================================
____________________________________________________________________________

    The information in this advisory may be distributed or reproduced,
    provided that the advisory is not modified in any way. In particular,
    it is desired that the cleartext signature shows proof of the
    authenticity of the text.
    SuSE Linux AG makes no warranties of any kind whatsoever with respect
    to the information contained in this security advisory.

Type Bits/KeyID    Date       User ID
pub  2048R/3D25D3D9 1999-03-06 SuSE Security Team <security@suse.de>
pub  1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build@suse.de>
thumbnail
Web Webster

Web Webster

Web Webster has more than 20 years of writing and editorial experience in the tech sector. He’s written and edited news, demand generation, user-focused, and thought leadership content for business software solutions, consumer tech, and Linux Today, he edits and writes for a portfolio of tech industry news and analysis websites including webopedia.com, and DatabaseJournal.com.

Recommended for you...

Blog
A Thorough Approach to Improve the Privacy and Security of Your Linux PC
Damien
Oct 24, 2024
Blog
Several Russian Maintainers Removed From Linux Kernel Due To Compliance Concerns
Senthil Kumar
Oct 23, 2024
Blog
OpenSSH Splits Again: New Authentication Binary Unveiled
Bobby Borisov
Oct 16, 2024
Blog
13 Best Free and Open Source Anti-Malware Tools
webmaster
Oct 14, 2024
Linux Today Logo

LinuxToday is a trusted, contributor-driven news resource supporting all types of Linux users. Our thriving international community engages with us through social media and frequent content contributions aimed at solving problems ranging from personal computing to enterprise-level IT operations. LinuxToday serves as a home for a community that struggles to find comparable information elsewhere on the web.

facebook
linkedin
x

Company

Contact us

Categories

News IT Management Infrastructure Developer Security High Performance Storage Blog

Property of TechnologyAdvice. © 2025 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

Terms of Service Privacy Policy California - Do Not Sell My Information