Your submission was sent successfully! Close

Thank you for contacting us. A member of our team will be in touch shortly. Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close

CVE-2011-0721

Publication date 15 February 2011

Last updated 24 July 2024


Ubuntu priority

Multiple CRLF injection vulnerabilities in (1) chfn and (2) chsh in shadow 1:4.1.4 allow local users to add new users or groups to /etc/passwd via the GECOS field.

From the Ubuntu Security Team

Kees Cook discovered that some shadow utilities did not correctly validate user input. A local attacker could exploit this flaw to inject newlines into the /etc/passwd file. If the system was configured to use NIS, this could lead to existing NIS groups or users gaining or losing access to the system, resulting in a denial of service or unauthorized access.

Read the notes from the security team

Status

Package Ubuntu Release Status
shadow 10.10 maverick
Fixed 1:4.1.4.2-1ubuntu3.2
10.04 LTS lucid
Fixed 1:4.1.4.2-1ubuntu2.2
9.10 karmic
Fixed 1:4.1.4.1-1ubuntu2.2
8.04 LTS hardy
Not affected
6.06 LTS dapper
Not affected

Notes


kees

introduce in the upstream 4.1.2 changes https://alioth.debian.org/scm/viewvc.php?view=rev&root=pkg-shadow&revision=1978

References

Related Ubuntu Security Notices (USN)

    • USN-1065-1
    • shadow vulnerability
    • 15 February 2011

Other references