[SECURITY] [DLA 4130-1] shadow security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 4130-1] shadow security update
From: Sylvain Beucler <beuc@beuc.net>
Date: Fri, 18 Apr 2025 21:44:07 +0200
Message-id: <[🔎] aAKrh10IzscObtM4@mail.beuc.net>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4130-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                      Sylvain Beucler
April 18, 2025                                https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : shadow
Version        : 1:4.8.1-1+deb11u1
CVE ID         : CVE-2023-4641 CVE-2023-29383
Debian Bug     : 1034482 1051062

Several vulnerabilities were discovered in the shadow suite of login
tools. An attacker may extract a password from memory in limited
situations, and confuse an administrator inspecting /etc/passwd from
within a terminal.

CVE-2023-4641

    When asking for a new password, shadow-utils asks the password
    twice. If the password fails on the second attempt, shadow-utils
    fails in cleaning the buffer used to store the first entry. This
    may allow an attacker with enough access to retrieve the password
    from the memory.

CVE-2023-29383

    It is possible to inject control characters into fields provided
    to the SUID program chfn (change finger). Although it is not
    possible to exploit this directly (e.g., adding a new user fails
    because \n is in the block list), it is possible to misrepresent
    the /etc/passwd file when viewed.

For Debian 11 bullseye, these problems have been fixed in version
1:4.8.1-1+deb11u1.

We recommend that you upgrade your shadow packages.

For the detailed security status of shadow please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/shadow

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE1vEOfV7HXWKqBieIDTl9HeUlXjAFAmgCoo8ACgkQDTl9HeUl
XjBS8w//RjsQHv8vBKQHzVSrtEVXXWF1Cy1/Ae7iVwjMO2qohiWqeDQzKL/jyIyS
1Do11dgMTh7m9+DYj6vUyM8kFo2XFcoUCx3Y1X1xLzm3H8SHdKdy2iyiv/xuNgqh
dATYH6Sg0I+Ij0oKH4xKeV/Z9v5SrASc+DnXXSkvUH+J3uPUsKSB3KZhzHMSxg2h
LADVewzPn/Dns2I8g9ah4NqhUObPQiGGbpxviQt29Lmg4FED+hvZmkZjLcdhswzB
k4FTp4CeIsxmNT+F3LrC8u5w54LT1566eM5FI+OQ8UHodWwWA77XYI6FRSDTQEoV
DMeZHSzuTHi6eaQNA1q2sIAN5K8mEQIpwHKkG1Y+lXu6eHGDvVs2/0qM/RS5ac39
ZkiVnw8irwvDOdOK48mf0atwbMHkT6kD5XvR7e3uXJRj9kSVI6G0yggPUHft57M9
HhgIHuo8IrsNVKTgalO/qXo7j7DNJEjevgmFcSVlha2w6R5bZw8aZFUjx2+JSTla
ggWZ0fn58VYCC2etYfnj//mP2Gv4OzfetURpFhkLuoSBtxsCuRRnfhz2z9VcTX6j
Y3dHHFXtMl6MJCRG2PPqp0UaCz++9QDcImoMgL5AvbOqF7xvrM6AsvO92406vI56
BtCqkPnhDiehHgx1Z621vZM+Yj8e7AA9btkt6NnTBZN4UIJQgAI=
=xbLU
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 4129-1] libapache2-mod-auth-openidc security update
Next by Date: [SECURITY] [DLA 4131-1] zabbix security update
Previous by thread: [SECURITY] [DLA 4129-1] libapache2-mod-auth-openidc security update
Next by thread: [SECURITY] [DLA 4131-1] zabbix security update
Index(es):
- Date
- Thread