Candidate: CVE-2019-19882
PublicDate: 2019-12-18 16:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19882
 https://github.com/shadow-maint/shadow/pull/199
 https://github.com/void-linux/void-packages/pull/17580
Description:
 shadow 4.8, in certain circumstances affecting at least Gentoo, Arch Linux,
 and Void Linux, allows local users to obtain root access because setuid
 programs are misconfigured. Specifically, this affects shadow 4.8 when
 compiled using --with-libpam but without explicitly passing
 --disable-account-tools-setuid, and without a PAM configuration suitable
 for use with setuid account management tools. This combination leads to
 account management tools (groupadd, groupdel, groupmod, useradd, userdel,
 usermod) that can easily be used by unprivileged local users to escalate
 privileges to root in multiple ways. This issue became much more relevant
 in approximately December 2019 when an unrelated bug was fixed (i.e., the
 chmod calls to suidusbins were fixed in the upstream Makefile which is now
 included in the release version 4.8).
Ubuntu-Description:
Notes:
 mdeslaur> In Debian and Ubuntu, shadow is compiled with
 mdeslaur> --disable-account-tools-setuid, so this vulnerability is not
 mdeslaur> present
Mitigation:
Bugs:
 https://bugs.archlinux.org/task/64836
 https://bugs.gentoo.org/702252
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H [7.8 HIGH]


Patches_shadow:
 upstream: https://github.com/shadow-maint/shadow/commit/edf7547ad5aa650be868cf2dac58944773c12d75
upstream_shadow: needs-triage
precise/esm_shadow: not-affected
trusty_shadow: ignored (out of standard support)
trusty/esm_shadow: not-affected
xenial_shadow: not-affected (1:4.2-3.1ubuntu5.4)
esm-infra/xenial_shadow: not-affected (1:4.2-3.1ubuntu5.4)
bionic_shadow: not-affected (1:4.5-1ubuntu2)
disco_shadow: not-affected (1:4.5-1.1ubuntu2)
eoan_shadow: not-affected (1:4.5-1.1ubuntu4)
devel_shadow: not-affected (1:4.5-1.1ubuntu4)