Bug 1099310 - (CVE-2016-6252) VUL-0: CVE-2016-6252: shadow: shadow-utils: Incorrect integer handling results in LPE
(CVE-2016-6252)
VUL-0: CVE-2016-6252: shadow: shadow-utils: Incorrect integer handling resul...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Major
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/171125/
CVSSv2:NVD:CVE-2016-6252:4.6:(AV:L/AC...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-06-27 12:40 UTC by Marcus Meissner
Modified: 2018-12-17 23:53 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Marcus Meissner 2018-06-27 12:40:49 UTC
http://seclists.org/oss-sec/2016/q3/115

...

       there was a *int overflow*, which can be
       tested via 'newuidmap $$ 0 10000 -1' (given that 10000 is listed as allowed)
       which produces no error but tries to write large "count" values to the uid_map
       file


        After checking some kernels, it looks like this int wrap is exploitable as a LPE,
        as kernel is using 32bit uid's that are truncated from unsigned longs (64bit on x64)
        as returned by simple_strtoul() [map_write()]. So newuidmap and kernel have an entire
        different view on the upper and lower bounds, making newuidmap overflow (and pass)
        and still being in bounds inside the kernel.

        So everyone shipping newuidmap as mode 04755 should fix it. :)


shadow-4.2.1/src/Makefile.in has:

  suidubins = chage chfn chsh expiry gpasswd newgrp passwd newuidmap newgidmap

Use CVE-2016-6252 for the incorrect integer handling.
Comment 3 Michael Vetter 2018-07-02 10:48:28 UTC
SLE-12: SR#167959
SLE-12-SP2: SR#167958
Comment 5 Michael Vetter 2018-07-04 09:42:25 UTC
SRs got accepted.
Comment 6 Swamp Workflow Management 2018-07-19 13:14:56 UTC
SUSE-SU-2018:1995-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1099310
CVE References: CVE-2016-6252
Sources used:
SUSE Linux Enterprise Server for SAP 12-SP1 (src):    shadow-4.1.5.1-19.8.1
SUSE Linux Enterprise Server 12-SP1-LTSS (src):    shadow-4.1.5.1-19.8.1
SUSE Linux Enterprise Server 12-LTSS (src):    shadow-4.1.5.1-19.8.1
Comment 7 Swamp Workflow Management 2018-07-19 13:16:19 UTC
SUSE-SU-2018:1997-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1099310
CVE References: CVE-2016-6252
Sources used:
SUSE OpenStack Cloud 7 (src):    shadow-4.2.1-27.9.1
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    shadow-4.2.1-27.9.1
SUSE Linux Enterprise Server 12-SP3 (src):    shadow-4.2.1-27.9.1
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    shadow-4.2.1-27.9.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    shadow-4.2.1-27.9.1
SUSE Enterprise Storage 4 (src):    shadow-4.2.1-27.9.1
SUSE CaaS Platform ALL (src):    shadow-4.2.1-27.9.1
OpenStack Cloud Magnum Orchestration 7 (src):    shadow-4.2.1-27.9.1
Comment 8 Swamp Workflow Management 2018-07-28 14:03:12 UTC
openSUSE-SU-2018:2127-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1099310
CVE References: CVE-2016-6252
Sources used:
openSUSE Leap 42.3 (src):    shadow-4.2.1-16.1
Comment 9 Marcus Meissner 2018-08-01 07:21:57 UTC
rfeleased
Comment 10 Swamp Workflow Management 2018-08-20 13:08:52 UTC
SUSE-SU-2018:2448-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1099310
CVE References: CVE-2016-6252
Sources used:
SUSE CaaS Platform 3.0 (src):    shadow-4.2.1-27.16.1
Comment 11 Swamp Workflow Management 2018-10-18 17:59:03 UTC
SUSE-SU-2018:1997-2: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1099310
CVE References: CVE-2016-6252
Sources used:
SUSE Linux Enterprise Server 12-SP2-BCL (src):    shadow-4.2.1-27.9.1