A locally exploitable vulnerability is present in the util-linux package which shipped with Red Hat Linux. [Updated 8 July 2003] Added packages for Red Hat Linux on IBM iSeries and pSeries systems.
The util-linux package contains a large variety of low-level system utilities that are necessary for a Linux system to function. The chfn utility included in this package allows users to modify personal information stored in the system-wide password file, /etc/passwd. In order to modify this file, this application is installed setuid root. Under certain conditions, a carefully crafted attack sequence can be performed to exploit a complex file locking and modification race present in this utility allowing changes to be made to /etc/passwd. In order to successfully exploit the vulnerability and perform privilege escalation there is a need for minimal administrator interaction. Additionally, the password file must be over 4 kilobytes, and the local attackers entry must not be in the last 4 kilobytes of the password file. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2002-0638 to this issue. An interim workaround is to remove setuid flags from /usr/bin/chfn and /usr/bin/chsh. All users of Red Hat Linux should update the packages contained in this erratum, which are patched to correct this vulnerability. Many thanks to Michal Zalewski of Bindview for alerting us to this issue.