CVE-2013-4235

shadow: TOCTOU (time-of-check time-of-use) race condition when copying and removing directory trees

Status

Show unmaintained releases

Package	Ubuntu Release	Status
shadow	24.10 oracular	Not affected
	24.04 LTS noble	Not affected
	23.10 mantic	Not affected
	23.04 lunar	Not affected
	22.10 kinetic	Fixed 1:4.11.1+dfsg1-2ubuntu1.1
	22.04 LTS jammy	Fixed 1:4.8.1-2ubuntu2.1
	21.10 impish	Ignored end of life
	21.04 hirsute	Ignored end of life
	20.10 groovy	Ignored end of life
	20.04 LTS focal	Vulnerable
	19.10 eoan	Ignored end of life
	19.04 disco	Ignored end of life
	18.10 cosmic	Ignored end of life
	18.04 LTS bionic	Vulnerable
	17.10 artful	Ignored end of life
	17.04 zesty	Ignored end of life
	16.10 yakkety	Ignored end of life
	16.04 LTS xenial	Vulnerable
	15.10 wily	Ignored end of life
	15.04 vivid	Ignored end of life
	14.10 utopic	Ignored end of life
	14.04 LTS trusty	Vulnerable
	12.04 LTS precise	Ignored end of life
	10.04 LTS lucid	Ignored end of life

Notes

ccdm94

The original issue associated with this CVE is issue 317, which provides a fix through commit dcca865. However, another pull request which references this issue was opened at a later date, this being PR 545. This pull request is said to actually address the issue while commit dcca865 was only a work around to the problem. Additionally, from the first comment that can be seen in PR 483, it seems like commit b447216 is also needed in order to completely fix this issue. Three commits fixing regressions introduced by one of the fix commits have been added after release 4.12.2, which is considered by upstream as the fixed release. These commit are: f3bdb28, 10cd68e and cde221b. They are a part of version 4.13 of shadow. One of the commits that needs to be applied in order to fix this CVE introduces a regression in focal and earlier, as seen by launchpad bug 1998169. The commit which seems to cause the issue is commit f3bdb28. Flag AT_SYMLINK_NOFOLLOW is not implemented in the kernel for function fchmodat, and, for focal and earlier, glibc does not contain commit 752dd17443, which fixes this problem. Therefore, useradd was not behaving correctly in focal and earlier once the fix for this issue was applied.

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
shadow	Upstream: https://github.com/shadow-maint/shadow/pull/483/commits/b4472167c2f5057d56686d3349a9b55fc508efe6 Upstream: https://github.com/shadow-maint/shadow/pull/545/commits/83d42e9e884829be028b3d2b276dc35bfc8c30cf Upstream: https://github.com/shadow-maint/shadow/pull/545/commits/479fc86fbe4add5ae0c66571965627c8fbac881d Upstream: https://github.com/shadow-maint/shadow/pull/545/commits/e0d33fe77cee9364fffbfa58c499b459040d4c7f Upstream: https://github.com/shadow-maint/shadow/pull/545/commits/14fcd7b412a7a13973a9453fd97f60fc277ebd0f Upstream: https://github.com/shadow-maint/shadow/pull/545/commits/e666de721aedf6deae8b11bef2e0701cf110f307 Upstream: https://github.com/shadow-maint/shadow/pull/545/commits/3db58ddf6394dfd1a0fe81dcb94dc81fe9fe6d6a Upstream: https://github.com/shadow-maint/shadow/pull/545/commits/6b228b2ba5a24f48bf6e74710cbd9582b157bde5

Package

Patch details

shadow

Severity score breakdown

Parameter	Value
Base score	4.7 · Medium
Attack vector	Local
Attack complexity	High
Privileges required	Low
User interaction	None
Scope	Unchanged
Confidentiality	None
Integrity impact	High
Availability impact	None
Vector	CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N

References

Related Ubuntu Security Notices (USN)

USN-5745-1
shadow vulnerability
28 November 2022

Cvss 3 Severity Score

Status

Notes

ccdm94

Patch details

Severity score breakdown

References

Related Ubuntu Security Notices (USN)

Other references