Stay Secure with the Latest Linux Advisories

security advisorydebianmemory leak

Debian DLA-4130-1 Urgent: Shadow Login Tools Vulnerability Fix Released

Several vulnerabilities were discovered in the shadow suite of login tools. An attacker may extract a password from memory in limited situations, and confuse an administrator inspecting /etc/passwd from within a terminal. . - ------------------------------------------------------------------------- Debian LTS Advisory DLA-4130-1 This email address is being protected from spambots. You need JavaScript enabled to view it. https://www.debian.org/lts/security/ Sylvain Beucler April 18, 2025 https://wiki.debian.org/LTS - ------------------------------------------------------------------------- Package : shadow Version : 1:4.8.1-1+deb11u1 CVE ID : CVE-2023-4641 CVE-2023-29383 Debian Bug : 1034482 1051062 Several vulnerabilities were discovered in the shadow suite of login tools. An attacker may extract a password from memory in limited situations, and confuse an administrator inspecting /etc/passwd from within a terminal. CVE-2023-4641 When asking for a new password, shadow-utils asks the password twice. If the password fails on the second attempt, shadow-utils fails in cleaning the buffer used to store the first entry. This may allow an attacker with enough access to retrieve the password from the memory. CVE-2023-29383 It is possible to inject control characters into fields provided to the SUID program chfn (change finger). Although it is not possible to exploit this directly (e.g., adding a new user fails because \n is in the block list), it is possible to misrepresent the /etc/passwd file when viewed. For Debian 11 bullseye, these problems have been fixed in version 1:4.8.1-1+deb11u1. We recommend that you upgrade your shadow packages. For the detailed security status of shadow please refer to its security tracker page at: https://security-tracker.debian.org/tracker/source-package/shadow Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at:https://wiki.debian.org/LTS . Multiple security flaws identified in Debian's shadow suite might enable unauthorized retrieval of passwords and distortion of the /etc/passwd file.. Debian Shadow Tools Security Patch, Debian LTS Security Update, Shadow Security Vulnerabilities. . Severity: Important. LinuxSecurity.com Team

Apr 18, 2025 •Important Debian LTS