← Back to CVE List

CVE-2025-0374

Published: 2025-01-30T05:15Z
Last Modified: 2025-02-07T17:15Z
Source: MITRE CVE List
License: MITRE-CVE-TOS
When etcupdate encounters conflicts while merging files, it saves a version containing conflict markers in /var/db/etcupdate/conflicts. This version does not preserve the mode of the input file, and is world-readable. This applies to files that would normally have restricted visibility, such as /etc/master.passwd. An unprivileged local user may be able to read encrypted root and user passwords from the temporary master.passwd file created in /var/db/etcupdate/conflicts. This is possible only when conflicts within the password file arise during an update, and the unprotected file is deleted when conflicts are resolved. > MITRE Terms of Use apply – see LICENSE‑MITRE.txt