Debian-LTS alert DLA-468-1 (libuser)
| From: | Markus Koschany <apo@debian.org> | |
| To: | debian-lts-announce@lists.debian.org | |
| Subject: | [SECURITY] [DLA 468-1] libuser security update | |
| Date: | Thu, 12 May 2016 20:07:24 +0200 | |
| Message-ID: | <5734C65C.80500@debian.org> |
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Package : libuser Version : 1:0.56.9.dfsg.1-1.2+deb7u1 CVE ID : CVE-2015-3245 CVE-2015-3246 Debian Bug : 793465 Two security vulnerabilities were discovered in libuser, a library that implements a standardized interface for manipulating and administering user and group accounts, that could lead to a denial of service or privilege escalation by local users. CVE-2015-3245 Incomplete blacklist vulnerability in the chfn function in libuser before 0.56.13-8 and 0.60 before 0.60-7, as used in the userhelper program in the usermode package, allows local users to cause a denial of service (/etc/passwd corruption) via a newline character in the GECOS field. CVE-2015-3246 libuser before 0.56.13-8 and 0.60 before 0.60-7, as used in the userhelper program in the usermode package, directly modifies /etc/passwd, which allows local users to cause a denial of service (inconsistent file state) by causing an error during the modification. NOTE: this issue can be combined with CVE-2015-3245 to gain privileges. In addition the usermode package, which depends on libuser, was rebuilt against the updated version. For Debian 7 "Wheezy", these problems have been fixed in libuser 1:0.56.9.dfsg.1-1.2+deb7u1 usermode 1.109-1+deb7u2 We recommend that you upgrade your libuser and usermode packages. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQJ8BAEBCgBmBQJXNMZbXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRBQ0YzRDA4OEVGMzJFREVGNkExQTgzNUZE OUFEMTRCOTUxM0I1MUU0AAoJENmtFLlRO1HkqacP/1c2GMOmOUTN1XZwiz0D0SND 7XzvJGHpwLe77LOnRKcgB1N2ldZaI/HaauPGEX+IXlbvSNSo6ebEb8gp6eAhn4Cq 1uAAM8RDAoPDIItc6YI38jhW1nSCfBamn34OrqboEbccZA8Ibl6xUmGN34t6u31n Mz5Ojx369cZrzCChanE5Lj5nv2xhZbFVlrzE/mC3L9wSohMIaGkJEiFD1E/QFmcK It0WJiGDAMfWu1fWlWfBpzXbWk4lsINQHYYWnz7NyxoL8VAjnAQBV7AJArx8jJK9 D2U81KAG7UvoxR9Jv74cGC2+KkPp+8KVBx5qagghxwfkkCxV3E7vY5ritk7Kt3pp +PL08SCFS0Yt90QNuvUdDHkVZipFo/gb00LugU+MJEz9qbtLflAvsReeGfqMovbH WyYCqvH2FWGlCx6FLOasXqSLW1H3te0mJkvQb5JN4NHe/etfkMYLBs0jPBpC6KpU I9Kq0Ut99VbyJzvzEoNOXYUp40Iwz91NXW/3BYF54YNXD8guZ8G3I0UspP5vaBTN 1yeZ5ItS5/zBJFKnAMAXx4+CQsBN0r5qI+fhEBgY5AdbaFefHfxTo4x72nIgRxg4 NbKQfH9Fhdw2hZB+3QGMm9g8uzLruRqyOl8e/md5H9LTXKUpfLCSanGxMPzu06+2 6GLdywPDIZWteNJulJk8 =K8i9 -----END PGP SIGNATURE-----