CVE-2013-4235

2019-12-0300:00:00

ubuntu.com

3.3 Low

CVSS2

Attack Vector

LOCAL

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:L/AC:M/Au:N/C:N/I:P/A:P

4.7 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N

0.0005 Low

EPSS

Percentile

17.4%

JSON

shadow: TOCTOU (time-of-check time-of-use) race condition when copying and
removing directory trees

Bugs

Notes

Author	Note
ccdm94	The original issue associated with this CVE is issue 317, which provides a fix through commit dcca865. However, another pull request which references this issue was opened at a later date, this being PR 545. This pull request is said to actually address the issue while commit dcca865 was only a work around to the problem. Additionally, from the first comment that can be seen in PR 483, it seems like commit b447216 is also needed in order to completely fix this issue. Three commits fixing regressions introduced by one of the fix commits have been added after release 4.12.2, which is considered by upstream as the fixed release. These commit are: f3bdb28, 10cd68e and cde221b. They are a part of version 4.13 of shadow. One of the commits that needs to be applied in order to fix this CVE introduces a regression in focal and earlier, as seen by launchpad bug 1998169. The commit which seems to cause the issue is commit f3bdb28. Flag AT_SYMLINK_NOFOLLOW is not implemented in the kernel for function fchmodat, and, for focal and earlier, glibc does not contain commit 752dd17443, which fixes this problem. Therefore, useradd was not behaving correctly in focal and earlier once the fix for this issue was applied.

Author

Note

ccdm94

The original issue associated with this CVE is issue 317, which provides a fix through commit dcca865. However, another pull request which references this issue was opened at a later date, this being PR 545. This pull request is said to actually address the issue while commit dcca865 was only a work around to the problem. Additionally, from the first comment that can be seen in PR 483, it seems like commit b447216 is also needed in order to completely fix this issue. Three commits fixing regressions introduced by one of the fix commits have been added after release 4.12.2, which is considered by upstream as the fixed release. These commit are: f3bdb28, 10cd68e and cde221b. They are a part of version 4.13 of shadow. One of the commits that needs to be applied in order to fix this CVE introduces a regression in focal and earlier, as seen by launchpad bug 1998169. The commit which seems to cause the issue is commit f3bdb28. Flag AT_SYMLINK_NOFOLLOW is not implemented in the kernel for function fchmodat, and, for focal and earlier, glibc does not contain commit 752dd17443, which fixes this problem. Therefore, useradd was not behaving correctly in focal and earlier once the fix for this issue was applied.

OSVersionArchitecturePackageVersionFilename
ubuntu18.04noarchshadow< anyUNKNOWN
ubuntu20.04noarchshadow< anyUNKNOWN
ubuntu22.04noarchshadow< 1:4.8.1-2ubuntu2.1UNKNOWN
ubuntu22.10noarchshadow< 1:4.11.1+dfsg1-2ubuntu1.1UNKNOWN
ubuntu14.04noarchshadow< anyUNKNOWN
ubuntu16.04noarchshadow< anyUNKNOWN

OS	Version	Architecture	Package	Version	Filename
ubuntu	18.04	noarch	shadow	< any	UNKNOWN
ubuntu	20.04	noarch	shadow	< any	UNKNOWN
ubuntu	22.04	noarch	shadow	< 1:4.8.1-2ubuntu2.1	UNKNOWN
ubuntu	22.10	noarch	shadow	< 1:4.11.1+dfsg1-2ubuntu1.1	UNKNOWN
ubuntu	14.04	noarch	shadow	< any	UNKNOWN
ubuntu	16.04	noarch	shadow	< any	UNKNOWN