The Shadow Utilities contain a vulnerability that may result in new user mailboxes having arbitrary permissions.
The Shadow Utilities provide tools to manage user accounts.
When a new mailbox is created using the useradd utility, the open() function does not receive the expected arguments while O_CREAT is present. The result of this error is that random permissions are applied to the new mailbox.
A local, unprivileged attacker may be able to gain access to newly created mailbox files.
Affected vendors have released updates to address this issue. Users are encouraged to see the Systems Affected portion of this document for a partial list of affected vendors.
Apple Computer, Inc.
F5 Networks, Inc.
Cisco Systems, Inc.
EMC, Inc. (formerly Data General Corporation)
Engarde Secure Linux
IBM Corporation (zseries)
Immunix Communications, Inc.
Ingrian Networks, Inc.
Juniper Networks, Inc.
MontaVista Software, Inc.
QNX, Software Systems, Inc.
Red Hat, Inc.
Silicon Graphics, Inc.
Slackware Linux Inc.
Sun Microsystems, Inc.
Trustix Secure Linux
Wind River Systems, Inc.
This document was written by Jeff Gennari.
|Date First Published:||2007-12-14|
|Date Last Updated:||2007-12-14 16:35 UTC|