Debian Security Advisory
DSA-1150-1 shadow -- programming error
- Date Reported:
- 12 Aug 2006
- Affected Packages:
- shadow
- Vulnerable:
- Yes
- Security database references:
- In the Bugtraq database (at SecurityFocus): BugTraq ID 18850.
In Mitre's CVE dictionary: CVE-2006-3378. - More information:
-
A bug has been discovered in several packages that execute the setuid() system call without checking for success when trying to drop privileges, which may fail with some PAM configurations.
For the stable distribution (sarge) this problem has been fixed in version 4.0.3-31sarge8.
For the unstable distribution (sid) this problem has been fixed in version 4.0.17-2.
We recommend that you upgrade your passwd package.
- Fixed in:
-
Debian GNU/Linux 3.1 (sarge)
- Source:
- http://security.debian.org/pool/updates/main/s/shadow/shadow_4.0.3-31sarge8.dsc
- http://security.debian.org/pool/updates/main/s/shadow/shadow_4.0.3-31sarge8.diff.gz
- http://security.debian.org/pool/updates/main/s/shadow/shadow_4.0.3.orig.tar.gz
- http://security.debian.org/pool/updates/main/s/shadow/shadow_4.0.3-31sarge8.diff.gz
- Alpha:
- http://security.debian.org/pool/updates/main/s/shadow/login_4.0.3-31sarge8_alpha.deb
- http://security.debian.org/pool/updates/main/s/shadow/passwd_4.0.3-31sarge8_alpha.deb
- http://security.debian.org/pool/updates/main/s/shadow/passwd_4.0.3-31sarge8_alpha.deb
- AMD64:
- http://security.debian.org/pool/updates/main/s/shadow/login_4.0.3-31sarge8_amd64.deb
- http://security.debian.org/pool/updates/main/s/shadow/passwd_4.0.3-31sarge8_amd64.deb
- http://security.debian.org/pool/updates/main/s/shadow/passwd_4.0.3-31sarge8_amd64.deb
- ARM:
- http://security.debian.org/pool/updates/main/s/shadow/login_4.0.3-31sarge8_arm.deb
- http://security.debian.org/pool/updates/main/s/shadow/passwd_4.0.3-31sarge8_arm.deb
- http://security.debian.org/pool/updates/main/s/shadow/passwd_4.0.3-31sarge8_arm.deb
- Intel IA-32:
- http://security.debian.org/pool/updates/main/s/shadow/login_4.0.3-31sarge8_i386.deb
- http://security.debian.org/pool/updates/main/s/shadow/passwd_4.0.3-31sarge8_i386.deb
- http://security.debian.org/pool/updates/main/s/shadow/passwd_4.0.3-31sarge8_i386.deb
- Intel IA-64:
- http://security.debian.org/pool/updates/main/s/shadow/login_4.0.3-31sarge8_ia64.deb
- http://security.debian.org/pool/updates/main/s/shadow/passwd_4.0.3-31sarge8_ia64.deb
- http://security.debian.org/pool/updates/main/s/shadow/passwd_4.0.3-31sarge8_ia64.deb
- HPPA:
- http://security.debian.org/pool/updates/main/s/shadow/login_4.0.3-31sarge8_hppa.deb
- http://security.debian.org/pool/updates/main/s/shadow/passwd_4.0.3-31sarge8_hppa.deb
- http://security.debian.org/pool/updates/main/s/shadow/passwd_4.0.3-31sarge8_hppa.deb
- Motorola 680x0:
- http://security.debian.org/pool/updates/main/s/shadow/login_4.0.3-31sarge8_m68k.deb
- http://security.debian.org/pool/updates/main/s/shadow/passwd_4.0.3-31sarge8_m68k.deb
- http://security.debian.org/pool/updates/main/s/shadow/passwd_4.0.3-31sarge8_m68k.deb
- Big endian MIPS:
- http://security.debian.org/pool/updates/main/s/shadow/login_4.0.3-31sarge8_mips.deb
- http://security.debian.org/pool/updates/main/s/shadow/passwd_4.0.3-31sarge8_mips.deb
- http://security.debian.org/pool/updates/main/s/shadow/passwd_4.0.3-31sarge8_mips.deb
- Little endian MIPS:
- http://security.debian.org/pool/updates/main/s/shadow/login_4.0.3-31sarge8_mipsel.deb
- http://security.debian.org/pool/updates/main/s/shadow/passwd_4.0.3-31sarge8_mipsel.deb
- http://security.debian.org/pool/updates/main/s/shadow/passwd_4.0.3-31sarge8_mipsel.deb
- PowerPC:
- http://security.debian.org/pool/updates/main/s/shadow/login_4.0.3-31sarge8_powerpc.deb
- http://security.debian.org/pool/updates/main/s/shadow/passwd_4.0.3-31sarge8_powerpc.deb
- http://security.debian.org/pool/updates/main/s/shadow/passwd_4.0.3-31sarge8_powerpc.deb
- IBM S/390:
- http://security.debian.org/pool/updates/main/s/shadow/login_4.0.3-31sarge8_s390.deb
- http://security.debian.org/pool/updates/main/s/shadow/passwd_4.0.3-31sarge8_s390.deb
- http://security.debian.org/pool/updates/main/s/shadow/passwd_4.0.3-31sarge8_s390.deb
- Sun Sparc:
- http://security.debian.org/pool/updates/main/s/shadow/login_4.0.3-31sarge8_sparc.deb
- http://security.debian.org/pool/updates/main/s/shadow/passwd_4.0.3-31sarge8_sparc.deb
- http://security.debian.org/pool/updates/main/s/shadow/passwd_4.0.3-31sarge8_sparc.deb
MD5 checksums of the listed files are available in the original advisory.