The Shadow Utilities contain a vulnerability that may result in new user mailboxes having arbitrary permissions.
The Shadow Utilities provide tools to manage user accounts.
When a new mailbox is created using the useradd utility, the open() function does not receive the expected arguments while O_CREAT is present. The result of this error is that random permissions are applied to the new mailbox.
A local, unprivileged attacker may be able to gain access to newly created mailbox files.
Affected vendors have released updates to address this issue. Users are encouraged to see the Systems Affected portion of this document for a partial list of affected vendors.
Gentoo Linux Affected
Apple Computer, Inc. Not Affected
F5 Networks, Inc. Not Affected
Openwall GNU/*/Linux Not Affected
Cisco Systems, Inc. Unknown
Conectiva Inc. Unknown
Cray Inc. Unknown
Debian GNU/Linux Unknown
Engarde Secure Linux Unknown
Fedora Project Unknown
FreeBSD, Inc. Unknown
Hewlett-Packard Company Unknown
IBM Corporation Unknown
IBM Corporation (zseries) Unknown
IBM eServer Unknown
Immunix Communications, Inc. Unknown
Ingrian Networks, Inc. Unknown
Juniper Networks, Inc. Unknown
Mandriva, Inc. Unknown
Microsoft Corporation Unknown
MontaVista Software, Inc. Unknown
NEC Corporation Unknown
Novell, Inc. Unknown
QNX, Software Systems, Inc. Unknown
Red Hat, Inc. Unknown
SUSE Linux Unknown
Silicon Graphics, Inc. Unknown
Slackware Linux Inc. Unknown
Sony Corporation Unknown
Sun Microsystems, Inc. Unknown
Trustix Secure Linux Unknown
Wind River Systems, Inc. Unknown
This document was written by Jeff Gennari.
|Date First Published:||2007-12-14|
|Date Last Updated:||2007-12-14 16:35 UTC|