[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SECURITY] [DLA 468-1] libuser security update



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package        : libuser
Version        : 1:0.56.9.dfsg.1-1.2+deb7u1
CVE ID         : CVE-2015-3245 CVE-2015-3246
Debian Bug     : 793465

Two security vulnerabilities were discovered in libuser, a library
that implements a standardized interface for manipulating and
administering user and group accounts, that could lead to a denial of
service or privilege escalation by local users.

CVE-2015-3245
    Incomplete blacklist vulnerability in the chfn function in libuser
    before 0.56.13-8 and 0.60 before 0.60-7, as used in the userhelper
    program in the usermode package, allows local users to cause a
    denial of service (/etc/passwd corruption) via a newline character
    in the GECOS field.

CVE-2015-3246
    libuser before 0.56.13-8 and 0.60 before 0.60-7, as used in the
    userhelper program in the usermode package, directly modifies
    /etc/passwd, which allows local users to cause a denial of service
    (inconsistent file state) by causing an error during the
    modification. NOTE: this issue can be combined with CVE-2015-3245
    to gain privileges.

In addition the usermode package, which depends on libuser, was
rebuilt against the updated version.

For Debian 7 "Wheezy", these problems have been fixed in

libuser 1:0.56.9.dfsg.1-1.2+deb7u1
usermode 1.109-1+deb7u2

We recommend that you upgrade your libuser and usermode packages.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQJ8BAEBCgBmBQJXNMZbXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRBQ0YzRDA4OEVGMzJFREVGNkExQTgzNUZE
OUFEMTRCOTUxM0I1MUU0AAoJENmtFLlRO1HkqacP/1c2GMOmOUTN1XZwiz0D0SND
7XzvJGHpwLe77LOnRKcgB1N2ldZaI/HaauPGEX+IXlbvSNSo6ebEb8gp6eAhn4Cq
1uAAM8RDAoPDIItc6YI38jhW1nSCfBamn34OrqboEbccZA8Ibl6xUmGN34t6u31n
Mz5Ojx369cZrzCChanE5Lj5nv2xhZbFVlrzE/mC3L9wSohMIaGkJEiFD1E/QFmcK
It0WJiGDAMfWu1fWlWfBpzXbWk4lsINQHYYWnz7NyxoL8VAjnAQBV7AJArx8jJK9
D2U81KAG7UvoxR9Jv74cGC2+KkPp+8KVBx5qagghxwfkkCxV3E7vY5ritk7Kt3pp
+PL08SCFS0Yt90QNuvUdDHkVZipFo/gb00LugU+MJEz9qbtLflAvsReeGfqMovbH
WyYCqvH2FWGlCx6FLOasXqSLW1H3te0mJkvQb5JN4NHe/etfkMYLBs0jPBpC6KpU
I9Kq0Ut99VbyJzvzEoNOXYUp40Iwz91NXW/3BYF54YNXD8guZ8G3I0UspP5vaBTN
1yeZ5ItS5/zBJFKnAMAXx4+CQsBN0r5qI+fhEBgY5AdbaFefHfxTo4x72nIgRxg4
NbKQfH9Fhdw2hZB+3QGMm9g8uzLruRqyOl8e/md5H9LTXKUpfLCSanGxMPzu06+2
6GLdywPDIZWteNJulJk8
=K8i9
-----END PGP SIGNATURE-----


Reply to: