ALAS-2015-572


Amazon Linux AMI Security Advisory: ALAS-2015-572
Advisory Release Date: 2015-07-27 17:12 Pacific
Severity: Important

Issue Overview:

It was found that libuser, as used in the chfn userhelper functionality, does not properly filter out newline characters, which allows an authenticated local attacker to corrupt the /etc/passwd file and cause denial-of-service against the system. (CVE-2015-3245 )

A flaw was found in the way the libuser library handled the /etc/passwd file. A local attacker could use an application compiled against libuser (for example, userhelper) to manipulate the /etc/passwd file, which could result in a denial of service or possibly allow the attacker to escalate their privileges to root. (CVE-2015-3246 )


Affected Packages:

usermode,libuser


Issue Correction:
Run yum update usermode libuser to update your system.

New Packages:
i686:
    usermode-1.102-3.18.amzn1.i686
    usermode-debuginfo-1.102-3.18.amzn1.i686
    libuser-python-0.56.13-8.15.amzn1.i686
    libuser-0.56.13-8.15.amzn1.i686
    libuser-debuginfo-0.56.13-8.15.amzn1.i686
    libuser-devel-0.56.13-8.15.amzn1.i686

src:
    usermode-1.102-3.18.amzn1.src
    libuser-0.56.13-8.15.amzn1.src

x86_64:
    usermode-1.102-3.18.amzn1.x86_64
    usermode-debuginfo-1.102-3.18.amzn1.x86_64
    libuser-devel-0.56.13-8.15.amzn1.x86_64
    libuser-python-0.56.13-8.15.amzn1.x86_64
    libuser-debuginfo-0.56.13-8.15.amzn1.x86_64
    libuser-0.56.13-8.15.amzn1.x86_64