Security Information / 2004 / Security Information -- DSA-585-1 shadow

Debian Security Advisory

DSA-585-1 shadow -- programming error

Date Reported:

05 Nov 2004

Affected Packages:

shadow

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2004-1001.

More information:

A vulnerability has been discovered in the shadow suite which provides programs like chfn and chsh. It is possible for a user, who is logged in but has an expired password to alter his account information with chfn or chsh without having to change the password. The problem was originally thought to be more severe.

For the stable distribution (woody) this problem has been fixed in version 20000902-12woody1.

For the unstable distribution (sid) this problem has been fixed in version 4.0.3-30.3.

We recommend that you upgrade your passwd package (from the shadow suite).

Fixed in:

Debian GNU/Linux 3.0 (woody)

Source:

http://security.debian.org/pool/updates/main/s/shadow/shadow_20000902-12woody1.dsc

http://security.debian.org/pool/updates/main/s/shadow/shadow_20000902-12woody1.diff.gz

http://security.debian.org/pool/updates/main/s/shadow/shadow_20000902.orig.tar.gz

Alpha:

http://security.debian.org/pool/updates/main/s/shadow/login_20000902-12woody1_alpha.deb

http://security.debian.org/pool/updates/main/s/shadow/passwd_20000902-12woody1_alpha.deb

ARM:

http://security.debian.org/pool/updates/main/s/shadow/login_20000902-12woody1_arm.deb

http://security.debian.org/pool/updates/main/s/shadow/passwd_20000902-12woody1_arm.deb

Intel IA-32:

http://security.debian.org/pool/updates/main/s/shadow/login_20000902-12woody1_i386.deb

http://security.debian.org/pool/updates/main/s/shadow/passwd_20000902-12woody1_i386.deb

Intel IA-64:

http://security.debian.org/pool/updates/main/s/shadow/login_20000902-12woody1_ia64.deb

http://security.debian.org/pool/updates/main/s/shadow/passwd_20000902-12woody1_ia64.deb

HPPA:

http://security.debian.org/pool/updates/main/s/shadow/login_20000902-12woody1_hppa.deb

http://security.debian.org/pool/updates/main/s/shadow/passwd_20000902-12woody1_hppa.deb

Motorola 680x0:

http://security.debian.org/pool/updates/main/s/shadow/login_20000902-12woody1_m68k.deb

http://security.debian.org/pool/updates/main/s/shadow/passwd_20000902-12woody1_m68k.deb

Big endian MIPS:

http://security.debian.org/pool/updates/main/s/shadow/login_20000902-12woody1_mips.deb

http://security.debian.org/pool/updates/main/s/shadow/passwd_20000902-12woody1_mips.deb

Little endian MIPS:

http://security.debian.org/pool/updates/main/s/shadow/login_20000902-12woody1_mipsel.deb

http://security.debian.org/pool/updates/main/s/shadow/passwd_20000902-12woody1_mipsel.deb

PowerPC:

http://security.debian.org/pool/updates/main/s/shadow/login_20000902-12woody1_powerpc.deb

http://security.debian.org/pool/updates/main/s/shadow/passwd_20000902-12woody1_powerpc.deb

IBM S/390:

http://security.debian.org/pool/updates/main/s/shadow/login_20000902-12woody1_s390.deb

http://security.debian.org/pool/updates/main/s/shadow/passwd_20000902-12woody1_s390.deb

Sun Sparc:

http://security.debian.org/pool/updates/main/s/shadow/login_20000902-12woody1_sparc.deb

http://security.debian.org/pool/updates/main/s/shadow/passwd_20000902-12woody1_sparc.deb

MD5 checksums of the listed files are available in the original advisory.