[SECURITY] [DLA 4130-1] shadow security update
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4130-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Sylvain Beucler
April 18, 2025 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : shadow
Version : 1:4.8.1-1+deb11u1
CVE ID : CVE-2023-4641 CVE-2023-29383
Debian Bug : 1034482 1051062
Several vulnerabilities were discovered in the shadow suite of login
tools. An attacker may extract a password from memory in limited
situations, and confuse an administrator inspecting /etc/passwd from
within a terminal.
CVE-2023-4641
When asking for a new password, shadow-utils asks the password
twice. If the password fails on the second attempt, shadow-utils
fails in cleaning the buffer used to store the first entry. This
may allow an attacker with enough access to retrieve the password
from the memory.
CVE-2023-29383
It is possible to inject control characters into fields provided
to the SUID program chfn (change finger). Although it is not
possible to exploit this directly (e.g., adding a new user fails
because \n is in the block list), it is possible to misrepresent
the /etc/passwd file when viewed.
For Debian 11 bullseye, these problems have been fixed in version
1:4.8.1-1+deb11u1.
We recommend that you upgrade your shadow packages.
For the detailed security status of shadow please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/shadow
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE1vEOfV7HXWKqBieIDTl9HeUlXjAFAmgCoo8ACgkQDTl9HeUl
XjBS8w//RjsQHv8vBKQHzVSrtEVXXWF1Cy1/Ae7iVwjMO2qohiWqeDQzKL/jyIyS
1Do11dgMTh7m9+DYj6vUyM8kFo2XFcoUCx3Y1X1xLzm3H8SHdKdy2iyiv/xuNgqh
dATYH6Sg0I+Ij0oKH4xKeV/Z9v5SrASc+DnXXSkvUH+J3uPUsKSB3KZhzHMSxg2h
LADVewzPn/Dns2I8g9ah4NqhUObPQiGGbpxviQt29Lmg4FED+hvZmkZjLcdhswzB
k4FTp4CeIsxmNT+F3LrC8u5w54LT1566eM5FI+OQ8UHodWwWA77XYI6FRSDTQEoV
DMeZHSzuTHi6eaQNA1q2sIAN5K8mEQIpwHKkG1Y+lXu6eHGDvVs2/0qM/RS5ac39
ZkiVnw8irwvDOdOK48mf0atwbMHkT6kD5XvR7e3uXJRj9kSVI6G0yggPUHft57M9
HhgIHuo8IrsNVKTgalO/qXo7j7DNJEjevgmFcSVlha2w6R5bZw8aZFUjx2+JSTla
ggWZ0fn58VYCC2etYfnj//mP2Gv4OzfetURpFhkLuoSBtxsCuRRnfhz2z9VcTX6j
Y3dHHFXtMl6MJCRG2PPqp0UaCz++9QDcImoMgL5AvbOqF7xvrM6AsvO92406vI56
BtCqkPnhDiehHgx1Z621vZM+Yj8e7AA9btkt6NnTBZN4UIJQgAI=
=xbLU
-----END PGP SIGNATURE-----
Reply to: