Ubuntu has issued an advisory today (November 28): https://ubuntu.com/security/notices/USN-5745-1 The issue is fixed upstream in 4.13 (just updated in Cauldron).
Status comment: (none) => Patches available from upstream and Ubuntu
Thank you for updating the package in Cauldron. So it is poised for M8: in which case, are the indicated patches still relevant? No one packager visible for this, so assigning the M8 update globally.
Assignee: bugsquad => pkg-bugs
Suggested advisory: ======================== The updated package fixes a security vulnerability: shadow: TOCTOU (time-of-check time-of-use) race condition when copying and removing directory trees. (CVE-2013-4235) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4235 https://ubuntu.com/security/notices/USN-5745-1 ======================== Updated package in core/updates_testing: ======================== shadow-utils-4.6-4.1.mga8 from SRPM: shadow-utils-4.6-4.1.mga8.src.rpm
CVE: (none) => CVE-2013-423Status comment: Patches available from upstream and Ubuntu => (none)Assignee: pkg-bugs => qa-bugsStatus: NEW => ASSIGNEDCC: (none) => nicolas.salguero
Are we affected by the regression that Ubuntu had to fix in this update? https://ubuntu.com/security/notices/USN-5745-2
No sign of the regression. Before and after installing the update, the results of useradd appear to be the same. After installing the update ... [root@x3 ~]# ll /home/newid ls: cannot access '/home/newid': No such file or directory [root@x3 ~]# useradd newid [root@x3 ~]# ll /home/newid total 44 -rw-r--r-- 1 newid newid 387 Dec 15 2020 .bash_completion -rw-r--r-- 1 newid newid 24 Oct 1 15:13 .bash_logout -rw-r--r-- 1 newid newid 208 Oct 1 15:13 .bash_profile -rw-r--r-- 1 newid newid 124 Oct 1 15:13 .bashrc drwxr-xr-x 2 newid newid 4096 Jan 12 2013 .gnome2/ drwxr-xr-x 2 newid newid 4096 Nov 21 2020 .italc/ -rw-r--r-- 1 newid newid 172 May 4 2018 .kshrc -rw-r--r-- 1 newid newid 1107 Aug 21 2013 .mkshrc drwxr-xr-x 4 newid newid 4096 Feb 13 2020 .mozilla/ -rw-r--r-- 1 newid newid 3793 Feb 27 2021 .screenrc drwx------ 2 newid newid 4096 Feb 11 2020 tmp/ [root@x3 ~]# userdel -r newid userdel: newid mail spool (/var/spool/mail/newid) not found [root@x3 ~]# ll /home/newid ls: cannot access '/home/newid': No such file or directory We'll need to test this more thoroughly before validating.
CC: (none) => davidwhodgins
MGA8-64 MATE on Acer Aspire 5253. Before installing I checked whether this rpm was already installed in a previous version, it wasn't. Then I read about the contents of this rpm and its commands: I find things there like adduser, pwck etc... But these exist already on my system in /usr/sbin, adduser being a link to useradd. So if I install this rpm, it will overwrite those existing ones ???? And when I remove the rpm, the commands are gone alltogether ?????
CC: (none) => herman.viaene
There's no way you don't already have this installed.
# urpme --test shadow-utils Removing the following package will break your system: basesystem-minimal-8-0.4.mga8.x86_64 (due to missing basesystem-minimal-core, due to missing makedev, due to missing initscripts, due to missing cronie, due to missing iproute2)
@David You're right. The checkbox here is a very light grey, I overlooked the flag, indicating it caan't be removed in MCC Installing new version works OK. # useradd prutser # getent passwd {1000..60000} tester8:x:1000:1000:Tester8:/home/tester8:/bin/bash prutser:x:1001:1001::/home/prutser:/bin/bash # usermod -p pruts prutser # pwck user 'adm': directory '/var/adm' does not exist user 'news': directory '/var/spool/news' does not exist user 'uucp': directory '/var/spool/uucp' does not exist user 'rpc': directory '/var/lib/rpcbind' does not exist user 'avahi-autoipd': directory '/var/lib/avahi-autoipd' does not exist user 'squid': directory '/var/spool/squid' does not exist pwck: no changes # userdel prutser # userdel prutser # getent passwd {1000..60000} tester8:x:1000:1000:Tester8:/home/tester8:/bin/bash All seem to work OK
Whiteboard: (none) => MGA8-64-OK
Validating. Advisory in comment 2. "We'll need to test this more thoroughly before validating." Dave Hodgins, if you think even more testing is needed, feel free to remove the validation.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0455.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED