Amazon Linux 1 Security Advisory: ALAS-2015-572
Advisory Release Date: 2015-07-23 10:50 Pacific
Advisory Updated Date: 2015-07-27 17:12 Pacific
FAQs regarding Amazon Linux ALAS/CVE Severity
It was found that libuser, as used in the chfn userhelper functionality, does not properly filter out newline characters, which allows an authenticated local attacker to corrupt the /etc/passwd file and cause denial-of-service against the system. (CVE-2015-3245)
A flaw was found in the way the libuser library handled the /etc/passwd file. A local attacker could use an application compiled against libuser (for example, userhelper) to manipulate the /etc/passwd file, which could result in a denial of service or possibly allow the attacker to escalate their privileges to root. (CVE-2015-3246)
Affected Packages:
usermode, libuser
Issue Correction:
Run yum update usermode libuser to update your system.
i686:
usermode-1.102-3.18.amzn1.i686
usermode-debuginfo-1.102-3.18.amzn1.i686
libuser-python-0.56.13-8.15.amzn1.i686
libuser-0.56.13-8.15.amzn1.i686
libuser-debuginfo-0.56.13-8.15.amzn1.i686
libuser-devel-0.56.13-8.15.amzn1.i686
src:
usermode-1.102-3.18.amzn1.src
libuser-0.56.13-8.15.amzn1.src
x86_64:
usermode-1.102-3.18.amzn1.x86_64
usermode-debuginfo-1.102-3.18.amzn1.x86_64
libuser-devel-0.56.13-8.15.amzn1.x86_64
libuser-python-0.56.13-8.15.amzn1.x86_64
libuser-debuginfo-0.56.13-8.15.amzn1.x86_64
libuser-0.56.13-8.15.amzn1.x86_64