Debian Security Advisory
DSA-2164-1 shadow -- insufficient input sanitization
- Date Reported:
- 16 Feb 2011
- Affected Packages:
- Security database references:
- In Mitre's CVE dictionary: CVE-2011-0721.
- More information:
Kees Cook discovered that the chfn and chsh utilities do not properly sanitize user input that includes newlines. An attacker could use this to corrupt passwd entries and may create users or groups in NIS environments.
Packages in the oldstable distribution (lenny) are not affected by this problem.
For the stable distribution (squeeze), this problem has been fixed in version 1:18.104.22.168+svn3283-2+squeeze1.
For the testing (wheezy) and unstable (sid) distributions, this problem will be fixed soon.
We recommend that you upgrade your shadow packages.