The libuser library implements a standardized interface for manipulating and administering user and group accounts. Sample applications that are modeled after applications from the shadow password suite (shadow-utils) are included in these packages.
Two flaws were found in the way the libuser library handled the /etc/passwd file. A local attacker could use an application compiled against libuser (for example, userhelper) to manipulate the /etc/passwd file, which could result in a denial of service or possibly allow the attacker to escalate their privileges to root. (CVE-2015-3245, CVE-2015-3246)
Red Hat would like to thank Qualys for reporting these issues.
All libuser users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue.