Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close

CVE-2013-4235

Published: 3 December 2019

shadow: TOCTOU (time-of-check time-of-use) race condition when copying and removing directory trees

Notes

AuthorNote
ccdm94
The original issue associated with this CVE is issue 317,
which provides a fix through commit dcca865. However, another
pull request which references this issue was opened at a
later date, this being PR 545. This pull request is said
to actually address the issue while commit dcca865 was only
a work around to the problem. Additionally, from the first
comment that can be seen in PR 483, it seems like commit
b447216 is also needed in order to completely fix this
issue. Three commits fixing regressions introduced
by one of the fix commits have been added after release
4.12.2, which is considered by upstream as the fixed release.
These commit are: f3bdb28, 10cd68e and cde221b. They are
a part of version 4.13 of shadow.
One of the commits that needs to be applied in order to fix
this CVE introduces a regression in focal and earlier, as
seen by launchpad bug 1998169. The commit which seems to
cause the issue is commit f3bdb28. Flag AT_SYMLINK_NOFOLLOW
is not implemented in the kernel for function fchmodat, and,
for focal and earlier, glibc does not contain commit
752dd17443, which fixes this problem. Therefore, useradd was
not behaving correctly in focal and earlier once the fix for
this issue was applied.

Priority

Low

Cvss 3 Severity Score

4.7

Score breakdown

Status

Package Release Status
shadow
Launchpad, Ubuntu, Debian
hirsute Ignored
(end of life)
impish Ignored
(end of life)
kinetic
Released (1:4.11.1+dfsg1-2ubuntu1.1)
upstream
Released (4.13)
jammy
Released (1:4.8.1-2ubuntu2.1)
focal Needed

trusty Needed

xenial Needed

artful Ignored
(end of life)
bionic Needed

cosmic Ignored
(end of life)
disco Ignored
(end of life)
eoan Ignored
(end of life)
groovy Ignored
(end of life)
lucid Ignored
(end of life)
lunar Not vulnerable
(1:4.13+dfsg1-1ubuntu1)
precise Ignored
(end of life)
utopic Ignored
(end of life)
vivid Ignored
(end of life)
wily Ignored
(end of life)
yakkety Ignored
(end of life)
zesty Ignored
(end of life)
mantic Not vulnerable
(1:4.13+dfsg1-1ubuntu1)
Patches:
upstream: https://github.com/shadow-maint/shadow/pull/483/commits/b4472167c2f5057d56686d3349a9b55fc508efe6
upstream: https://github.com/shadow-maint/shadow/pull/545/commits/83d42e9e884829be028b3d2b276dc35bfc8c30cf
upstream: https://github.com/shadow-maint/shadow/pull/545/commits/479fc86fbe4add5ae0c66571965627c8fbac881d
upstream: https://github.com/shadow-maint/shadow/pull/545/commits/e0d33fe77cee9364fffbfa58c499b459040d4c7f
upstream: https://github.com/shadow-maint/shadow/pull/545/commits/14fcd7b412a7a13973a9453fd97f60fc277ebd0f
upstream: https://github.com/shadow-maint/shadow/pull/545/commits/e666de721aedf6deae8b11bef2e0701cf110f307
upstream: https://github.com/shadow-maint/shadow/pull/545/commits/3db58ddf6394dfd1a0fe81dcb94dc81fe9fe6d6a
upstream: https://github.com/shadow-maint/shadow/pull/545/commits/6b228b2ba5a24f48bf6e74710cbd9582b157bde5

Severity score breakdown

Parameter Value
Base score 4.7
Attack vector Local
Attack complexity High
Privileges required Low
User interaction None
Scope Unchanged
Confidentiality None
Integrity impact High
Availability impact None
Vector CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N