Your submission was sent successfully! Close

You have successfully unsubscribed! Close

CVE-2013-4235

Published: 3 December 2019

shadow: TOCTOU (time-of-check time-of-use) race condition when copying and removing directory trees

Notes

AuthorNote
ccdm94
The original issue associated with this CVE is issue 317,
which provides a fix through commit dcca865. However, another
pull request which references this issue was opened at a
later date, this being PR 545. This pull request is said
to actually address the issue while commit dcca865 was only
a work around to the problem. Additionally, from the first
comment that can be seen in PR 483, it seems like commit
b447216 is also needed in order to completely fix this
issue. Three commits fixing regressions introduced
by one of the fix commits have been added after release
4.12.2, which is considered by upstream as the fixed release.
These commit are: f3bdb28, 10cd68e and cde221b. They are
a part of version 4.13 of shadow.
One of the commits that needs to be applied in order to fix
this CVE introduces a regression in focal and earlier, as
seen by launchpad bug 1998169. The commit which seems to
cause the issue is commit f3bdb28. Flag AT_SYMLINK_NOFOLLOW
is not implemented in the kernel for function fchmodat, and,
for focal and earlier, glibc does not contain commit
752dd17443, which fixes this problem. Therefore, useradd was
not behaving correctly in focal and earlier once the fix for
this issue was applied.

Priority

Low

CVSS 3 base score: 4.7

Status

Package Release Status
shadow
Launchpad, Ubuntu, Debian
artful Ignored
(reached end-of-life)
bionic Needed

cosmic Ignored
(reached end-of-life)
disco Ignored
(reached end-of-life)
eoan Ignored
(reached end-of-life)
focal Needed

groovy Ignored
(reached end-of-life)
hirsute Ignored
(reached end-of-life)
impish Ignored
(reached end-of-life)
jammy
Released (1:4.8.1-2ubuntu2.1)
kinetic
Released (1:4.11.1+dfsg1-2ubuntu1.1)
lucid Ignored
(reached end-of-life)
precise Ignored
(end of ESM support, was needed)
trusty Needed

upstream
Released (4.13)
utopic Ignored
(reached end-of-life)
vivid Ignored
(reached end-of-life)
wily Ignored
(reached end-of-life)
xenial Needed

yakkety Ignored
(reached end-of-life)
zesty Ignored
(reached end-of-life)
Patches:
upstream: https://github.com/shadow-maint/shadow/pull/483/commits/b4472167c2f5057d56686d3349a9b55fc508efe6
upstream: https://github.com/shadow-maint/shadow/pull/545/commits/83d42e9e884829be028b3d2b276dc35bfc8c30cf
upstream: https://github.com/shadow-maint/shadow/pull/545/commits/479fc86fbe4add5ae0c66571965627c8fbac881d
upstream: https://github.com/shadow-maint/shadow/pull/545/commits/e0d33fe77cee9364fffbfa58c499b459040d4c7f
upstream: https://github.com/shadow-maint/shadow/pull/545/commits/14fcd7b412a7a13973a9453fd97f60fc277ebd0f
upstream: https://github.com/shadow-maint/shadow/pull/545/commits/e666de721aedf6deae8b11bef2e0701cf110f307
upstream: https://github.com/shadow-maint/shadow/pull/545/commits/3db58ddf6394dfd1a0fe81dcb94dc81fe9fe6d6a
upstream: https://github.com/shadow-maint/shadow/pull/545/commits/6b228b2ba5a24f48bf6e74710cbd9582b157bde5