CVE-2013-4235
Published: 3 December 2019
shadow: TOCTOU (time-of-check time-of-use) race condition when copying and removing directory trees
Notes
Author | Note |
---|---|
ccdm94 | The original issue associated with this CVE is issue 317, which provides a fix through commit dcca865. However, another pull request which references this issue was opened at a later date, this being PR 545. This pull request is said to actually address the issue while commit dcca865 was only a work around to the problem. Additionally, from the first comment that can be seen in PR 483, it seems like commit b447216 is also needed in order to completely fix this issue. Three commits fixing regressions introduced by one of the fix commits have been added after release 4.12.2, which is considered by upstream as the fixed release. These commit are: f3bdb28, 10cd68e and cde221b. They are a part of version 4.13 of shadow. One of the commits that needs to be applied in order to fix this CVE introduces a regression in focal and earlier, as seen by launchpad bug 1998169. The commit which seems to cause the issue is commit f3bdb28. Flag AT_SYMLINK_NOFOLLOW is not implemented in the kernel for function fchmodat, and, for focal and earlier, glibc does not contain commit 752dd17443, which fixes this problem. Therefore, useradd was not behaving correctly in focal and earlier once the fix for this issue was applied. |
Priority
Status
Package | Release | Status |
---|---|---|
shadow Launchpad, Ubuntu, Debian |
artful |
Ignored
(end of life)
|
bionic |
Needed
|
|
cosmic |
Ignored
(end of life)
|
|
disco |
Ignored
(end of life)
|
|
eoan |
Ignored
(end of life)
|
|
focal |
Needed
|
|
groovy |
Ignored
(end of life)
|
|
hirsute |
Ignored
(end of life)
|
|
impish |
Ignored
(end of life)
|
|
jammy |
Released
(1:4.8.1-2ubuntu2.1)
|
|
kinetic |
Released
(1:4.11.1+dfsg1-2ubuntu1.1)
|
|
lucid |
Ignored
(end of life)
|
|
lunar |
Not vulnerable
(1:4.13+dfsg1-1ubuntu1)
|
|
mantic |
Not vulnerable
(1:4.13+dfsg1-1ubuntu1)
|
|
noble |
Not vulnerable
(1:4.13+dfsg1-1ubuntu1)
|
|
precise |
Ignored
(end of life)
|
|
trusty |
Needed
|
|
upstream |
Released
(4.13)
|
|
utopic |
Ignored
(end of life)
|
|
vivid |
Ignored
(end of life)
|
|
wily |
Ignored
(end of life)
|
|
xenial |
Needed
|
|
yakkety |
Ignored
(end of life)
|
|
zesty |
Ignored
(end of life)
|
|
Patches: upstream: https://github.com/shadow-maint/shadow/pull/483/commits/b4472167c2f5057d56686d3349a9b55fc508efe6 upstream: https://github.com/shadow-maint/shadow/pull/545/commits/83d42e9e884829be028b3d2b276dc35bfc8c30cf upstream: https://github.com/shadow-maint/shadow/pull/545/commits/479fc86fbe4add5ae0c66571965627c8fbac881d upstream: https://github.com/shadow-maint/shadow/pull/545/commits/e0d33fe77cee9364fffbfa58c499b459040d4c7f upstream: https://github.com/shadow-maint/shadow/pull/545/commits/14fcd7b412a7a13973a9453fd97f60fc277ebd0f upstream: https://github.com/shadow-maint/shadow/pull/545/commits/e666de721aedf6deae8b11bef2e0701cf110f307 upstream: https://github.com/shadow-maint/shadow/pull/545/commits/3db58ddf6394dfd1a0fe81dcb94dc81fe9fe6d6a upstream: https://github.com/shadow-maint/shadow/pull/545/commits/6b228b2ba5a24f48bf6e74710cbd9582b157bde5 |
Severity score breakdown
Parameter | Value |
---|---|
Base score | 4.7 |
Attack vector | Local |
Attack complexity | High |
Privileges required | Low |
User interaction | None |
Scope | Unchanged |
Confidentiality | None |
Integrity impact | High |
Availability impact | None |
Vector | CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N |
References
- https://github.com/shadow-maint/shadow/issues/317
- https://github.com/shadow-maint/shadow/pull/545
- https://ubuntu.com/security/notices/USN-5745-1
- https://ubuntu.com/security/notices/USN-5745-2
- https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1998169
- https://www.cve.org/CVERecord?id=CVE-2013-4235
- NVD
- Launchpad
- Debian