Vulnerability Note VU#405955
util-linux package vulnerable to privilege escalation when "ptmptmp" file is not removed properly when using "chfn" utility
The util-linux package contains a race condition vulnerability that can be used to elevate privileges on the system.
util-linux is shipped with Red Hat Linux and numerous other Linux distributions. It contains a collection of utility programs, such as fstab, mkfs, and chfn. The BindView RAZOR Team has discovered that because setpwnam.c inadequately locks a temporary file used when making changes to /etc/passwd, a race condition can be used to elevate privileges on the system.
For further details, please see the Bindview Advisory.
A local user may be able to elevate their privileges on the system.
Apply a patch from your vendor, or, an immediate workaround (provided by BindView) is to remove setuid flags from /usr/bin/chfn and /usr/bin/chsh. To remediate the vulnerability, patch the source code as follows.
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Red Hat Inc.||Affected||26 Jun 2002||10 Jul 2002|
|Sun Microsystems Inc.||Affected||26 Jun 2002||17 Jul 2002|
|The SCO Group (SCO Linux)||Affected||26 Jun 2002||30 Oct 2002|
|Alcatel||Not Affected||26 Jun 2002||24 Jul 2002|
|Cray Inc.||Not Affected||26 Jun 2002||10 Jul 2002|
|Debian||Not Affected||26 Jun 2002||27 Jun 2002|
|IBM||Not Affected||26 Jun 2002||17 Jul 2002|
|Lotus Software||Not Affected||26 Jun 2002||11 Jul 2002|
|Microsoft Corporation||Not Affected||26 Jun 2002||12 Jul 2002|
|NetBSD||Not Affected||26 Jun 2002||12 Jul 2002|
|Openwall GNU/*/Linux||Not Affected||-||15 Aug 2002|
|SuSE Inc.||Not Affected||26 Jun 2002||15 Jul 2002|
|Xerox Corporation||Not Affected||26 Jun 2002||30 May 2003|
|3Com||Unknown||26 Jun 2002||10 Jul 2002|
|Apple Computer Inc.||Unknown||26 Jun 2002||10 Jul 2002|
CVSS Metrics (Learn More)
Thanks to Michal Zalewski, BindView RAZOR, for reporting this vulnerability.
This document was written by Ian A Finlay.
- CVE IDs: CAN-2002-0638
- Date Public: 29 Jul 2002
- Date First Published: 29 Jul 2002
- Date Last Updated: 30 May 2003
- Severity Metric: 10.97
- Document Revision: 18
If you have feedback, comments, or additional information about this vulnerability, please send us email.