Bugzilla – Bug 1099310
VUL-0: CVE-2016-6252: shadow: shadow-utils: Incorrect integer handling results in LPE
Last modified: 2018-12-17 23:53:25 UTC
rh#1358625 Integer overflow in shadow 4.2.1 allows local users to gain privileges via crafted input to newuidmap. References: https://bugzilla.redhat.com/show_bug.cgi?id=1358625 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6252 http://www.openwall.com/lists/oss-security/2016/07/19/7 http://seclists.org/oss-sec/2016/q3/115 http://seclists.org/oss-sec/2016/q3/144 http://www.openwall.com/lists/oss-security/2016/07/19/6 http://www.openwall.com/lists/oss-security/2016/07/20/2 http://www.openwall.com/lists/oss-security/2016/07/25/7 http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-6252.html http://www.debian.org/security/2017/dsa-3793 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=832170 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=855943 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6252 http://www.securityfocus.com/bid/92055 https://security.gentoo.org/glsa/201706-02 https://github.com/shadow-maint/shadow/issues/27 http://lists.alioth.debian.org/pipermail/pkg-shadow-devel/2016-July/011017.html
http://seclists.org/oss-sec/2016/q3/115 ... there was a *int overflow*, which can be tested via 'newuidmap $$ 0 10000 -1' (given that 10000 is listed as allowed) which produces no error but tries to write large "count" values to the uid_map file After checking some kernels, it looks like this int wrap is exploitable as a LPE, as kernel is using 32bit uid's that are truncated from unsigned longs (64bit on x64) as returned by simple_strtoul() [map_write()]. So newuidmap and kernel have an entire different view on the upper and lower bounds, making newuidmap overflow (and pass) and still being in bounds inside the kernel. So everyone shipping newuidmap as mode 04755 should fix it. :) shadow-4.2.1/src/Makefile.in has: suidubins = chage chfn chsh expiry gpasswd newgrp passwd newuidmap newgidmap Use CVE-2016-6252 for the incorrect integer handling.
SLE-12: SR#167959 SLE-12-SP2: SR#167958
SRs got accepted.
SUSE-SU-2018:1995-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1099310 CVE References: CVE-2016-6252 Sources used: SUSE Linux Enterprise Server for SAP 12-SP1 (src): shadow-4.1.5.1-19.8.1 SUSE Linux Enterprise Server 12-SP1-LTSS (src): shadow-4.1.5.1-19.8.1 SUSE Linux Enterprise Server 12-LTSS (src): shadow-4.1.5.1-19.8.1
SUSE-SU-2018:1997-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1099310 CVE References: CVE-2016-6252 Sources used: SUSE OpenStack Cloud 7 (src): shadow-4.2.1-27.9.1 SUSE Linux Enterprise Server for SAP 12-SP2 (src): shadow-4.2.1-27.9.1 SUSE Linux Enterprise Server 12-SP3 (src): shadow-4.2.1-27.9.1 SUSE Linux Enterprise Server 12-SP2-LTSS (src): shadow-4.2.1-27.9.1 SUSE Linux Enterprise Desktop 12-SP3 (src): shadow-4.2.1-27.9.1 SUSE Enterprise Storage 4 (src): shadow-4.2.1-27.9.1 SUSE CaaS Platform ALL (src): shadow-4.2.1-27.9.1 OpenStack Cloud Magnum Orchestration 7 (src): shadow-4.2.1-27.9.1
openSUSE-SU-2018:2127-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1099310 CVE References: CVE-2016-6252 Sources used: openSUSE Leap 42.3 (src): shadow-4.2.1-16.1
rfeleased
SUSE-SU-2018:2448-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1099310 CVE References: CVE-2016-6252 Sources used: SUSE CaaS Platform 3.0 (src): shadow-4.2.1-27.16.1
SUSE-SU-2018:1997-2: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1099310 CVE References: CVE-2016-6252 Sources used: SUSE Linux Enterprise Server 12-SP2-BCL (src): shadow-4.2.1-27.9.1