Bug 5456 - libuser security vulnerability (CVE-2015-3245, CVE-2015-3246).
: libuser security vulnerability (CVE-2015-3245, CVE-2015-3246).
Status: RESOLVED FIXED
Product: Desktop Bugs
Classification: ROSA Desktop
Component: Main Packages
: Fresh
: All Linux
: Normal normal
: ---
Assigned To: ROSA Linux Bugs
: ROSA Linux Bugs
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2015-04-29 14:19 MSD by Zombie Ryushu
Modified: 2016-12-12 01:16 MSK (History)
2 users (show)

See Also:
RPM Package: libuser
ISO-related:
Bad POT generating:
Upstream:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Zombie Ryushu 2015-04-29 14:19:28 MSD
libuser has had a bugfix released

0.61:
* Python 3 is now supported. Consistent with the Python 3 C API and its prevailing usage, only UTF-8 locales work.  Note that importing libuser in non-UTF-8 locales will fail in Python 3.
* The Python extension now requires Python 2.7.
* Translations are now maintained in https://fedora.zanata.org/ .
* tests/fs_test can be edited to truly perform operations as root, without  fakeroot.
* sgml2txt is no longer required for building from the released tarball.
* Miscellaneous bug fixes and cleanups, primarily in the Python extension.
Comment 1 Zombie Ryushu 2015-07-25 21:03:14 MSD
Two flaws were found in the way the libuser library handled the
/etc/passwd file. A local attacker could use an application compiled
against libuser (for example, userhelper) to manipulate the /etc/passwd
file, which could result in a denial of service or possibly allow the
attacker to escalate their privileges to root (CVE-2015-3245,
CVE-2015-3246).
Comment 2 Denis Silakov 2016-12-12 01:16:07 MSK
Our current libuser if free of these issues.