Arch Linux 811 Published by

A shadow security update is available for Arch Linux



Arch Linux Security Advisory ASA-201912-4
=========================================

Severity: High
Date : 2019-12-18
CVE-ID : CVE-2019-19882
Package : shadow
Type : privilege escalation
Remote : No
Link : https://security.archlinux.org/AVG-1079

Summary
=======

The package shadow before version 4.8-1 is vulnerable to privilege
escalation.

Resolution
==========

Upgrade to 4.8-1.

# pacman -Syu "shadow>=4.8-1"

The problem has been fixed upstream in version 4.8.

Workaround
==========

None.

Description
===========

shadow 4.8, in certain circumstances affecting at least Gentoo, Arch
Linux, and Void Linux, allows local users to obtain root access because
setuid programs are misconfigured. Specifically, this affects shadow
4.8 when compiled using --with-libpam but without explicitly passing
--disable-account-tools-setuid, and without a PAM configuration
suitable for use with setuid account management tools. This combination
leads to account management tools (groupadd, groupdel, groupmod,
useradd, userdel, usermod) that can easily be used by unprivileged
local users to escalate privileges to root in multiple ways. This issue
became much more relevant in approximately December 2019 when an
unrelated bug was fixed (i.e., the chmod calls to suidusbins were fixed
in the upstream Makefile which is now included in the release version
4.8).

Impact
======

A local authenticated user can escalate privileges by using setuid
binaries.

References
==========

https://bugs.archlinux.org/task/64836
https://bugs.gentoo.org/702252
https://github.com/shadow-maint/shadow/commit/edf7547ad5aa650be868cf2dac58944773c12d75
https://github.com/shadow-maint/shadow/pull/199
https://github.com/void-linux/void-packages/pull/17580
https://security.archlinux.org/CVE-2019-19882