CVE-2012-5630

Vulnerability

libuser versions 0.56 and 0.57 contain a time-of-check time-of-use (TOCTOU) race condition when copying and removing directory trees. The vulnerability arises because file operations such as checking permissions or existence and then performing the actual copy or removal are not atomic, allowing a window of opportunity for an attacker to modify the filesystem state between the check and the use. This affects the useradd and related utilities that rely on libuser for directory manipulation. The bug is identified in the Red Hat Bugzilla as CVE-2012-5630 [1][2].

Exploitation

An attacker with local access to the system can exploit this race condition by carefully timing file operations. The attacker must be able to create or modify files or directories within the path being processed by libuser (for example, using symlinks or other filesystem manipulations). No authentication beyond standard local user access is required. The race window can be repeatedly triggered until the conditions align, making exploitation practical [1][2].

Impact

Successful exploitation could allow an attacker to cause a privilege escalation or data integrity compromise. For example, by replacing a legitimate file with a symbolic link to an arbitrary location (such as /etc/passwd or another sensitive file), the attacker could gain elevated privileges or corrupt system data. The impact is considered low severity by Red Hat, as it requires local access and precise timing [1][2].

Mitigation

Red Hat has classified this as a low-severity issue and has decided not to fix it (WONTFIX) because of the limited scope and the inherent difficulty of completely eliminating the race condition without a complete redesign of the affected functions [2]. Debian provides fixed versions in later releases: for libuser 1:0.62~dfsg-0.4 (bullseye) and 1:0.64~dfsg-1 (bookworm) [4]. Users of affected versions should upgrade to a patched release where available. No workaround is documented.