PublicDateAtUSN: 2017-08-04 09:29:00 UTC
Candidate: CVE-2017-12424
PublicDate: 2017-08-04 09:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12424
 https://ubuntu.com/security/notices/USN-5254-1
Description:
 In shadow before 4.5, the newusers tool could be made to manipulate
 internal data structures in ways unintended by the authors. Malformed input
 may lead to crashes (with a buffer overflow or other memory corruption) or
 other unspecified behaviors. This crosses a privilege boundary in, for
 example, certain web-hosting environments in which a Control Panel allows
 an unprivileged user account to create subaccounts.
Ubuntu-Description:
Notes:
Bugs:
 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=756630
 https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1266675
Priority: low
Discovered-by:
Assigned-to: leosilva
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H [9.8 CRITICAL]
 nvd: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H [9.8 CRITICAL]

Patches_shadow:
 other: https://github.com/shadow-maint/shadow/commit/954e3d2e7113e9ac06632aee3c69b8d818cc8952
upstream_shadow: released (1:4.5-1)
precise/esm_shadow: ignored (end of ESM support, was needs-triage)
trusty_shadow: ignored (reached end-of-life)
trusty/esm_shadow: released (1:4.1.5.1-1ubuntu9.5+esm1)
vivid/ubuntu-core_shadow: ignored (reached end-of-life)
xenial_shadow: ignored (end of standard support, was needed)
esm-infra/xenial_shadow: released (1:4.2-3.1ubuntu5.5+esm1)
zesty_shadow: ignored (reached end-of-life)
artful_shadow: ignored (reached end-of-life)
bionic_shadow: not-affected (1:4.5-1ubuntu1)
cosmic_shadow: not-affected (1:4.5-1ubuntu1)
disco_shadow: not-affected (1:4.5-1ubuntu1)
eoan_shadow: not-affected (1:4.5-1ubuntu1)
focal_shadow: not-affected (1:4.5-1ubuntu1)
groovy_shadow: not-affected (1:4.5-1ubuntu1)
hirsute_shadow: not-affected (1:4.5-1ubuntu1)
impish_shadow: not-affected (1:4.5-1ubuntu1)
jammy_shadow: not-affected (1:4.5-1ubuntu1)
devel_shadow: not-affected (1:4.5-1ubuntu1)