[Pkg-shadow-devel] Bug#379174: shadow: CVE-2006-3378

[Nicolas François]

Hello,

On Sat, Jul 22, 2006 at 12:59:59AM +0200, Henry Jensen wrote:
> 
> I just checked the source. From there it seems that the Debian passwd 
> is affected by CVE-2006-3378 (USN-308-1 in Ubuntu), too.

Here is a patch for this issue (taken from the ubuntu package).

Its changelog could be:

  * SECURITY UPDATE: CVE-2006-3378: Root privilege escalation.
  * src/passwd.c:
    - Check for failing setuid() (which can happen if user hits PAM
      limits). Before, passwd continued to run as root and executed
      chfn/chsh/gpasswd as root instead of as the user.
    - Thanks to Sune Kloppenborg Jeppesen for pointing this out.

Please note also that (because of #356939) there are other shadow packages
being processed (which do not fix this vulnerability):
1:4.0.3-31sarge6 (in the security queue) and 1:4.0.3-31sarge7 (in the
proposed-update queue)


Security team, what should we do?
 * Ask the FTP masters to drop the current 1:4.0.3-31sarge6 and
   1:4.0.3-31sarge7 and upload a new 1:4.0.3-31sarge6 (with only this
   security fix?, with both?)
 * Upload a new 1:4.0.3-31sarge8 (where? with only this security fix?,
   with both?)

Thanks in advance,
-- 
Nekral
-------------- next part --------------
Index: src/passwd.c
===================================================================
--- src/passwd.c	(r?vision 1053)
+++ src/passwd.c	(copie de travail)
@@ -958,7 +958,13 @@
 	if (argc > 1 && argv[1][0] == '-' && strchr ("gfs", argv[1][1])) {
 		char buf[200];
 
-		setuid (getuid ());
+		uid_t uid = getuid();
+		setuid (uid);
+		if (getuid() != uid) {
+		    perror("cannot set user id");
+		    SYSLOG ((LOG_ERR, "setuid to %i failed", uid));
+		    exit(E_FAILURE);
+		}
 		switch (argv[1][1]) {
 		case 'g':
 			argv[1] = GPASSWD_PROGRAM;	/* XXX warning: const */