full-disclosure-uk May 2007 archive
Main Archive Page > Month Archives  > full-disclosure-uk archives
full-disclosure-uk: [Full-disclosure] rPSA-2007-0096-1 shadow

[Full-disclosure] rPSA-2007-0096-1 shadow

From: rPath Update Announcements <announce-noreply_at_nospam>
Date: Fri May 11 2007 - 17:31:30 GMT
To: security-announce@lists.rpath.com, update-announce@lists.rpath.com


rPath Security Advisory: 2007-0096-1
Published: 2007-05-11
Products: rPath Linux 1
Rating: Minor
Exposure Level Classification:

    Indirect Non-deterministic Weakness
Updated Versions:

    shadow=/conary.rpath.com@rpl:devel//1/4.0.7-14.2-1

References:

    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1174     https://issues.rpath.com/browse/RPL-1357

Description:

    Previous versions of the shadow package have a weakness in the     useradd program; it may in some cases create new mail spool files     with a mode that may be vulnerable to reading and/or writing by     attackers with local system access. Note that, despite the clear bug     in the source code, we have seen no instances in practice of mail     spool files being created with insecure permissions. This update     will not fix permissions on existing system mailbox files, since it     is not possible to determine if any particular set of permissions     was chosen intentionally. Mail spool files are normally mode 660.

Copyright 2007 rPath, Inc.
This file is distributed under the terms of the MIT License. A copy is available at http://www.rpath.com/permanent/mit-license.html



Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/